It seems that every day projects have more and more dependencies on libraries (internal or external) and, of course, many of these depend on other libraries, resulting in a large dependency tree for any given project. How do you know if any of those libraries contain some code which is licensed in a way that is incompatible with your company’s policies e.g. no GPL?
BT (the former British Telecom) apparently didn’t and ended up having to publish all the code used in one of the routers it distributes due to a GPL violation.
To give you an idea of the scale of this problem, doing a quick search of my local Maven repository reveals that it has 1760 JAR files in it. Admittedly not all of these belong to one single project but maybe they are spread out over 20 different projects. It is pretty infeasible to try to manage such a task manually.
Tools like Maven are a great help for managing dependency trees in your project but doesn’t help much with checking the licenses that each dependency uses. The pom.xml file permits the use of a <license> element but it is optional, many libraries either don’t use Maven or don’t specify the license and you have to check compliance manually in any case.
This is where IPR monitoring tools come in. Such tools allow the definition of licensing policies at an organizational level and provide mechanisms to monitor compliance with these policies in software projects, raising alerts on detected violations.
We recently had to take a look at such tools for one of our clients. After studying the market, we discovered that are currently no open-source solutions covering this problem domain, but several commercial tools address the problem of continuous IPR monitoring.
For reference purposes, here is a list of the providers that we discovered:
|IPR Management Tool||Site|
|Palamida Compliance Edition||http://www.palamida.com|
|Black Duck Protex||http://www.blackducksoftware.com/protex|
|OpenLogic Library or Enterprise Edition||http://www.openlogic.com|
All of these commercial products offer common features:
- Automated binary and source code analysis with multi-language support (Java, C/C++, C#,
Visual Basic, Perl, Python, PHP). The analysis is performed against an external proprietary
database that contains the code of most open-source products.
- Provide workflows in order to control the IPR of the software projects through the whole
lifecycle, based on defined licensing policies.
- Approval/disapproval licensing mechanisms as well as billing of materials for
software releases summarizing components, licenses, approval status and license/policy
- Different levels of code fragment recognition to detect reuse of code.
- User interfaces offering policy management, reporting and dashboard features.
- Support for integration of code scan in Continuous Integration platforms via command line
We think that these products are going to become increasingly important as the total number of libraries used in projects shows no sign of decreasing and there will always be a need to protect intellectual property.