The Rugged Landscape of Open Source Software Compliance

Black Duck Software got its feet wet during the SCO uproar, when the Unix firm's legal onslaught against IBM (NYSE: IBM) and others sharpened concern over intellectual property rights connected to the use of software code. New issues have arisen since then, however, coinciding with the increased adoption of open source applications and the growing number of licenses governing their use. Black Duck recently released protexIP 4.0, a new version of its development software analysis system, in response to the broadening range of compliance challenges.

"The complexity of combined software is greater than ever," Black Duck CEO Doug Levin told LinuxInsider. Users are mixing code blocks and code trees, and placing heavier reliance on open source projects that may be covered by multiple licenses. "That complexity is something we focused our solution around."

ProtexIP 4.0 offers an easier-to-use AJAX-based interface, "at a glance" code review within projects, and a checklist detailing license obligations accumulated from all software components used in a project, according to Black Duck.

Deeper Into Code

Increased enterprise adoption of open source software is driving the market for Black Duck, which currently has about 225 different customers. While companies used only two or three open source solutions to develop software a few years ago, they are using 20 to 30 pieces of open source code today, Levin pointed out.

Another trend is the desire to delve deeper into code to check origin, licenses, third-party applications and even software libraries, Levin added.

The latest version of the protexIP development engine is "a marriage of our technical roadmap and customer input," he remarked. He pointed to its improved interface and executive dashboard, which provides a software "bill of materials" including components, licenses, compliance status and violation indicators.

Standard Risk Check

Black Duck is joined by Palamida and Borland in providing code audits that have become standard practice in the industry, Interarbor Solutions Principal Analyst Dana Gardner told LinuxInsider.

"It's part of due diligence," he said. "It's really a box to check off in the software development process, to run it through an engine that audits the code, discovers its origin, and helps people using or distributing the code to determine their [noncompliance] risk"

Gardner went so far as to say companies mixing commercial and open source software that did not audit their code in such a manner were "playing with fire."

Getting Away From GPL

While the SCO Group's legal assault on Linux users and distributors served to accentuate the issues surrounding intellectual property rights and license requirements attached to software -- particularly open source software -- those are no longer the main drivers for Black Duck's market. The firm is now focusing on issues arising over use of the GNU General Public License (GPL), Levin said.

"[Customers are] buying protexIP because what they need to do is identify their GPL in the code base," he said. Several recent high-profile cases of GPL infringement, including a German court's recent ruling that D-Link had violated terms of the GPL by incorporating Linux into its commercial product, illustrate that necessity.

ProtexIP provides information for technical, legal and business users, Levin said. He added that non-GPL software licenses, popular because they are easier to implement and manage, will likely continue to proliferate unless the next version of the open source license, GPLv3, "evolves to be more accommodating."

Complex Success

The market for software solutions that sift through all the code a company may be using for development or including in its products is poised to grow, Gardner said, given the potential legal risks.

He also indicated that with so many different software licenses in use, as well as the increased mixing of platforms and applications, there will be greater demand for auditing and management solutions.

"With more licenses, it's even more important to bring in automated and standardized processes to manage all those licenses," Gardner said.