An evaluation of open source component licensing compliance

The increasing modularisation of software has witnessed open source software increasingly deployed as components within software projects. Whether such projects are themselves open source or commercial, the reliance upon open source components brings with it specific licensing requirements. This research evaluates how projects comply with those component licensing requirements. Based on a quantitative analysis of 619 open source component usages across 111 proprietary and open source software projects, key relationships between licensing compliance, user awareness, project license restrictiveness, component choice and engineering coupling were identified and statistically examined. A theoretical framework for evaluating open source component licensing compliance was developed, along with three custom research instruments and an ordinal license restrictiveness categorization scale. Bytecode instrumentation of Java applications was used to quantitatively gather dependency information and coupling metrics. Strong statistical evidence demonstrated that projects tend to use components of the same license category, with restrictively licensed projects using greater numbers of open source components. Restrictively licensed projects also more frequently created derivative works, with non-restrictively licensed projects commonly employing reflective techniques to mitigate reciprocal obligations. Overall, 75% of component usages complied with the license, with less restrictively licensed projects achieving greater compliance. Strong awareness of licensing-related issues was found among users, with most having an awareness of licensing issues and correctly self-assessing their compliance with licenses. Specific trends in non-compliance were identified, with an absence of required acknowledgement and project license disclaimers representing common issues. There was a clear prominence among non-restrictively licensed components, with Apache and BSD licenses far more represented in practice than GPL and LGPL. This differs from previous research, which indicated the reverse to be true.