Was kann im schlimmsten Fall passieren, wenn sie nicht auf ihre OSS–Lizenzen achten?
They can be slapped with a sales ban, pay hefty fines, or even be forced to release their own source code for their product and lose their intellectual property.
Commercial software usually consists of self-written code of the software producer and hundreds of free open source components (OSS). Each of these components is under some license, with all its conditions to be fulfilled by the software producer. Some conditions are simple - others can destroy their business model (e.g. strict copyleft and some weak copyleft licenses), still other licenses fight each other - making the whole software incompliant.
Vor nicht allzu langer Zeit sollte ich neben den Application Security Risken auch die Verantwortung für Software License Risken übernehmen. Ich fragte die Entwicklern nach dem Compliance Paket für die OSS. Ich bekam eine Liste mit 30 Lizenznamen geliefert.
The first shock: The "compliance list" for our software customers should not only list the licenses, but also fulfill their conditions. For example, it had to list the names of the authors of the OSS components, include a disclaimer for a component, and provide the individual OSS components in source code (!) form. Here it was not even mentioned to which component which license referred to.
Im zweiten Schritt erzeugte ich mir eine detaillierte „Stückliste“ (SBOM) der Software. Statt 30 Lizenzen fand ich 1.200 OSS-Komponenten! Ich verrate nicht, wie viele böse Lizenzen ich fand – jetzt sind keine mehr drin.
The third surprise I discovered when we found GPL code hidden in the code of an OSS component under a harmless license. This meant that the harmless component was suddenly no longer commercially viable. Knowing these pitfalls prevented the worst and secured the software delivery. But this requires expert knowledge!
If you want to know more or need help, look here: https://wobeecon.com.
