With more than 200 different open source licenses out there, each with its own terms and conditions, some copy-left (viral), some permissive, some permissive with strings, and others with no open source license at all (for which default copyright laws apply), it’s tough to keep track of and fulfill all the legal requirements.
Failing to accurately track licenses is risky business, and can result in some unfortunate surprises. At best it could be just the headache entails in replacing a component; at worst, it could mean jeopardizing exclusive ownership over your proprietary code.
Imagine it. You’re about to release your product and a pre-release code scan reveals you’re using a component with a problematic license. Removal of the component means going back to the drawing board on that segment of code, tearing and replacing, and redeveloping. Or worse, the issue is discovered post-release. And now your legal department is facing infringement claims.
Many software development teams attempt to track licenses manually. While they may succeed to track the components and their licenses, that still leaves the dependencies, many of which have completely different licenses.
With Mend.io, it’s all automatic. Whenever a new open source component is added to the build, Mend identifies its license and any licenses attached to any of its dependencies.
Mend.io also lets you create your company’s license policy by defining a white list of automatically approved licenses; a black list of automatically rejected licenses (choose to get an alert and/or fail the build when a component or dependency with one of these is added); and a list of licenses that need to be approved on a case-by-case basis. These initiate a pre-defined email approval request, with all approvals tracked, signed and archived within the Mend.io system for later access.
Once you have completed your one-time policy setup, you get alerted to any predefined policy pitfalls as you develop, so you can make informed decisions before you incorporate components into your build.
Mend.io also automates licensing applications and copyright creation (EULA), so complying with license terms is quick and easy.
Learn more about our automated policies here.
Mend.io (formerly WhiteSource) effortlessly secures applications without burdening the developers who create them. With over a decade of experience helping more than 1,000 organizations build next-gen AppSec programs, our technology improves security outcomes while accelerating development.