Enhanced Legal Tab in Black Duck Audit Reports

Enhanced Legal Tab in Black Duck Audit Reports

If you have reviewed any Black Duck audit reports recently, you may have noticed improvements in the legal tab and the way we report on findings. The new report format has received some very positive reviews, the theme being that it makes reported results more actionable.

The biggest change we made on the legal tab was to add a layer of hierarchy in categorizing findings. We classify licenses for components as follows: Research Needed, Potential Conflicts and OK to Use.

Research Needed

This classification represents license scenarios about which we recommend our clients gather more information and evaluate. For example, we suggest further research in the following cases:

Third Party Commercial code that requires a commercial license from a vendor; the existence of a license agreement needs to be verified.

Dual Licensed indicates code offered under a license that would conflict with the intended use, but the code is also available under a commercial license. So, it’s an either/or situation, either the code owner has a commercial license agreement in place, or there is a license conflict. The dual license business model has become fairly common. The recent Artifex/Hancom case is an example of a problematic scenario where a developer utilized a free version and neither obtained a commercial license nor complied with the open source license. 

Custom licenses. Typically these are one-off situations where the copyright holders include some license language of their own creation. If the language is very clearly permissive, we empower senior consultants to call it No Conflict, however if there is any doubt, we put is under Research Needed to let our clients’ counsel make the call.

License Conflicts

When we talk about license conflicts, we use the word “potential” because it’s appropriate for a knowledgeable lawyer to review and make the final call. Different lawyers interpret licenses differently and different companies have different risk tolerance. That said, attorneys tell us our classifications are extremely helpful to prioritizing their review.

Declared Conflict means that the license and usage conflicts with the declared license and use of the entire work.Usually our clients are looking to either distribute under a commercial license or host as SaaS. We distinguish between conflicts with licenses that have broader reach and narrower reach. Broader reach licenses tend to extend to the entire derivative work, so are more difficult to remediate. Narrower scope means that the impact is confined, perhaps just to a single file in question. Component conflicts are licenses that don’t conflict with the declared license, but do conflict with each other. These have become rare, but we do include them when we find them.

We also treat unlicensed code (or “Not Licensed” as we designate it) as a Declared Conflict to prioritize it for review. This is code that is freely available on the Internet but for which no license information is made available. For example, a developer might share code in a personal blog and simply say: “Hey, look how I implemented this cool algorithm.” But their blog includes no other indication of the permissions. Most attorneys we speak with consider this problematic. Auditors primarily rely on license information in the Black Duck KnowledgeBase. However, if the KB team has been unable to find a license, auditors go the extra step of researching on their own. Only after completing that research will they declare something as Not Licensed.

OK to Use

OK to Use is pretty self-explanatory. The code owner’s proprietary code falls under that heading, as does permissively licensed open source. It’s worth bearing in mind that while it is “ok to use” permissively licensed code, most licenses still carry an attribution obligation with which code owners should comply.

The Black Duck On-Demand team is continuing to evolve our reporting capabilities, so stay tuned for future developments. If you have ideas, requests, issues, feedback, I’m very open to your thoughts. Contact me at phil.odence at blackducksoftware.com.

Read the NorthEdge Capital Case Study

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Black Duck by Synopsys: Being Part of Our Kind of Company

| Jan 10, 2018

In the wake of selling Black Duck to Synopsys, it’s really interesting work through all facets of integration. An energizing journey it is to learn a new company, something I have not experienced in nearly a decade. Soon after we announced, I explained to my dad some of my experiences interacting

| MORE >

How Do You Address the Complexity of Open Source in Tech Contracts

| Dec 18, 2017

The basis of open source risk lies in the fundamentals of how software is built these days. Many of the code bases Black Duck audited this year comprised more than half open source. Combine that with the fact that most companies don’t track or manage it very well, and you have a concerning basis

| MORE >