Automated collection and identification of 3rd party libraries’ licensing info used in Company’s product.

Some of the problems included:

  • Company’s product required tracking of licensing information for thousands of its 3rd party dependencies for compliance with intellectual property regulations
  • Company’s lawyer required list of all 3rd party components used in Company’s product by its next release
  • Company’s product highly complex tech stack, consisting of hundreds (300+) of OSGi bundles and thousands of 3rd party dependencies, prevented identifying licensing information manually
  • Commercial tools cost thousands or tenths of thousands of USD
  • None of the existing free Maven-based solutions for collecting 3rd party libraries’ licensing info could be utilized due to non-Maven build of Company’s product
  • None of the existing free non-Maven solutions for collecting 3rd party libraries’ licensing info worked with Eclipse P2 repositories or OSGi environment, both used in Company’s product
  • A lot of 3rd party libraries specify license as free-form text and do not provide machine-understandable link (e.g. http://www.apache.org/licenses/LICENSE-2.0.txt), which made it harder to identify exact license type used
  • Less than 40% of 3rd party libraries used in Company’s product specified licensing information, the reminder did not specify any such information

Some of the solutions applied included:

  • Researching and evaluating free tools for collecting 3rd party libraries’ licensing info
  • Automating collection of licensing info for all unique 3rd party libraries used in Company’s product – including name of library, its license and author – and storing it in CSV file for access via tools like Excel and to facilitate database import
  • For 3rd party libraries which do not specify type of license using regex expressions to match against list of available open source licenses available at https://opensource.org/licenses/alphabetical

Technology stack

  • Java
  • Apache Commons IO
  • Apache Commons Compress
  • jarchivelib
  • OpenCSV
  • Google Guava

Industry

IT