It goes without saying that open source software (OSS) dependencies are growing explosively. Along with that maturity comes an increasingly complex web of licenses, terms, and legal necessities. And while we’ve spoken at length about the crucial role of license compliance, the focus has been on leveraging policy management to ensure developers are choosing components that mitigate legal risk.
However, open source software is not free. Each license comes with a plethora of legal obligations. Even if developers are choosing components that align with your organization’s policies, that does not mean it is free from those legal obligations.
The most common legal obligations are known as ‘attributions’. These require the disclosure of an OSS component’s license text, notice text, copyright holders, contributors, and source code. In a typical application with 260 dependencies gathering that data can sap up to 58 hours of productivity.
Ignoring these obligations violates the terms of the OSS license, exposes an organization to legal risk, prevents distribution to various cloud marketplaces, and ignores international standards of compliance.
Legal Burden for Development Teams
Given this complex array of licenses, obligations, and risks, legal organizations have a tendency to respond in an hostile or crude fashion. They often require development organizations to collect their own legal data or place draconian restrictions on which OSS dependencies can be used, blocking all but the most permissive licenses.
That has a negative effect both on the developers’ quality of life but also on their creativity. And a reduction in OSS choice is a competitive disadvantage for the organization as a whole.
These processes are also opaque to development organizations. They are often asked to collect legal data whose necessity is unknown to them, and provide an inordinate amount of information, when only a fraction of it is needed. This lack of clarity can create fear and uncertainty when selecting OSS dependencies, leading to less than ideal choices, creating inefficiencies in the technology stack.
Furthermore, this human-curated data may be useless. Since manually data collection is often fraught with errors and may be overlooked if development organizations don’t understand why the data is needed.
Simply put, manual legal data collection and review is not scalable as projects grow, nor does it mitigate legal risks.
Cutting Through the Gordian Knot
At Sonatype, we’ve developed the Advanced Legal Pack add-on to Nexus Lifecycle to automate attributions, streamline OSS license compliance, and expedite feedback loops with development teams.
Building on the robust features available in Nexus Lifecycle, the Advanced Legal Pack adds the following capabilities:
- Automation of attribution reports that comply with 90+% of OSS obligations.
- Enhanced legal data pertinent to legal obligations (e.g. all copyright statements, all notice statements, and all license texts found in a component).
- Legal workflow to resolve license obligations.
- Ability to save attribution and obligation resolutions at the organization or application level.
- Ability to customize and edit attribution reporting as needed.
Resisting the tendency for legal review systems to be slow, require manual work, or depend on crowd-sourced data, the Advanced Legal Pack fully automates the data collection and cuts through the tedium of legal reviews. As a legal reviewer, you should not have to analyze components that have good legal hygiene. You want to focus your time on components that truly have novel legal requirements or issues.
With the Advanced Legal Pack, our workflows, priority management, and policies highlight only the components in need of legitimate consideration, while automatically complying with the rote obligations of the vast majority of OSS components. Now, OSS legal requirements that took days to complete now take minutes.