Open source components are free to use
True! But they come with an attached license, that requires their users to adhere to certain terms and conditions. A license can be simple and permissive – there’s even one called WTFPL (What The F*** You Want Public License) – but other licenses impose significant restrictions on how the open source component may be used.
Open source components are bug-free
False! Open source is just like any other software: it has bugs and security vulnerabilities. The nice thing about open source is that there’s a community behind it, using, testing and releasing patches and new versions. All you have to do is make sure you know about these vulnerabilities on time.
Open source components are risky to use
False! As long as you take good care of them – make sure you know what you are using, keep track of security vulnerabilities and new versions, and do what the license term requires you to do – using open source is safe. Check out our research on this.
It’s not too hard to list the open source components we use; and update the list as we go.
False! The tricky part is listing dependencies. Dependencies are open source components that are used by other open source components. Most organizations will list the components they use directly, but it is almost impossible to track all the components these components rely on.
It is only possible to automatically track open source components in Java
False! Open source component management should and can be done for all programming languages – including C/C++, C#, Ruby, Python and more.