Tracing software build processes to uncover license compliance inconsistencies

“…Other researchers have considered the challenges of licence compliance, particularly in large software products containing a mixture of proprietary and OSS components (Harutyunyan et al, 2019;Riehle and Harutyunyan, 2019;Fendt and Jaeger, 2019). Interactions between OSS licences are complex (German and Hassan, 2009;van der Burg et al, 2014), and can be a challenge that is not always resolved through manual inspection (van der Burg et al, 2014). The Linux Foundation's Open-Chain project (The Linux Foundation, 2019) has created standards such as SPDX (SPDX.…”

“…The challenge of OSS component adoption is more complex and nuanced than simply identifying functionally suitable software (Spinellis, 2019). Businesses need to consider multiple additional factors, for example, the software licence of the component in the context of their own licensing policy (Stol and Ali Babar, 2010a;van der Burg et al, 2014;Spinellis, 2019;Petersen et al, 2018), and also the viability and stability of the OSS project community that develops the component (Stol and Ali Babar, 2010a;TODO Goup, 2018;Franch et al, 2015;López L. Costal et al, 2015.…”

Considerations and challenges for the adoption of open source components in software-intensive businesses

“…Other researchers have considered the challenges of licence compliance, particularly in large software products containing a mixture of proprietary and OSS components (Harutyunyan et al, 2019;Riehle and Harutyunyan, 2019;Fendt and Jaeger, 2019). Interactions between OSS licences are complex (German and Hassan, 2009;van der Burg et al, 2014), and can be a challenge that is not always resolved through manual inspection (van der Burg et al, 2014). The Linux Foundation's Open-Chain project (The Linux Foundation, 2019) has created standards such as SPDX (SPDX.…”

“…The challenge of OSS component adoption is more complex and nuanced than simply identifying functionally suitable software (Spinellis, 2019). Businesses need to consider multiple additional factors, for example, the software licence of the component in the context of their own licensing policy (Stol and Ali Babar, 2010a;van der Burg et al, 2014;Spinellis, 2019;Petersen et al, 2018), and also the viability and stability of the OSS project community that develops the component (Stol and Ali Babar, 2010a;TODO Goup, 2018;Franch et al, 2015;López L. Costal et al, 2015.…”

Considerations and challenges for the adoption of open source components in software-intensive businesses

“…German et al proposed a tool named Kenen that checks license compliance for Java components that uses component identification, provenance discovery, license identification, and licensing requirements analysis [6]. Van der Burg et al proposed an approach that can uncover license compliance inconsistencies by analyzing the Concrete Build Dependency Graph of a software system [19]. They proposed an approach to construct and analyze the Concrete Build Dependency Graph of a software system by tracing system calls that occur at build-time.…”

Empirical Study on Dependency-related License Violation in the JavaScript Package Ecosystem

“…Most analysis approaches are dynamic and actually execute the build to extract information. For example, van der Burg et al [43] dynamically detect which files are included in a build to check license compatibility, Metamorphosis [26] dynamically analyzes build system to migrate them, Dietrich [24] analyzes Kbuild based systems dynamically to derive presence conditions for source files, and our prior work, MkFault [21], combines runtime information with some structural analysis to localize build faults. However, dynamic approaches can only analyze one configuration at a time.…”

Four languages and lots of macros: analyzing autotools build systems