Keep Your Dependency Licenses in Check

Features
News

Even though legal fees and reputational risks for invalid or inappropriately used licenses are extremely costly, nearly all organizations involved in software or hardware development still have no license auditing process for their codebase. If your business relies on open-source components or outsource development in your services, or if you as a developer reuse code from services like GitHub when working on company projects, your organization could be at risk.

The GNU General Public License (GNU GPL or simply GPL) is a series of widely-used, free software licenses that guarantee end users the freedom to do four things with their software: run, study, share, and modify it. With the GPL gaining more popularity and being actively used in legal cases, keeping track of licenses is becoming a must for organizations of different sizes and verticals.

Inappropriate use of the GPL can potentially land businesses in legal trouble if they use code in the wrong way, deliberately or otherwise. For example, CoKinetic Systems Corporation, one of the major global players in the in-flight entertainment market, filed a suit against Panasonic Avionics Corporation in a New York federal court, seeking damages of over $100 million. CoKinetic claims that Panasonic willfully violated GPL open source licensing requirements. There are many other cases like Welte vs. Fantec or Linksys vs Free Software Foundation where a company or organization neglected license auditing and had to suffer the consequences.

Regardless of whether you do all your own software development or outsource parts of it, if a piece of unlicensed code ends up in your product, you cannot afford to miss it. So how confident are you that your projects have no licensing issues?

Working with countless licenses means that it’s nearly impossible for developers, legal departments, or security teams to track them all. Organizations can try forcing each and every developer to run a dependency analysis on their projects manually. But how do you ensure no one misses anything? This is especially relevant when teams are under time pressure to release new features and improvements.

When manual license detection is used, you can’t rule out the possibility of accidentally importing a restrictive-licensed library into a software codebase or forgetting to update an expired license. If you don’t spot and mitigate such issues in a timely manner, it can lead to major lawsuits, financial losses, reputational damage, and loss of client trust.

To automate the process of detecting incompatible third-party licenses and mitigating legal, financial and reputational risks, we announced the EAP for License audit in Qodana, the code quality platform from JetBrains. Until now, License audit has been an extra linter that had to be configured separately from the main linters. With this release, License audit becomes one of the essential Qodana linters. Now you can take advantage of License audit by getting Qodana for your programming language of choice: Qodana for Java, Qodana for Kotlin, Qodana for PHP, and Qodana for JavaScript.

Get Started With Qodana

For developers

Qodana lists dependency licenses in an analyzed repository and warns you about any problems concerning their compatibility with the project licenses. Whenever a new library is added to your project or an existing one unexpectedly changes its license, Qodana will alert you to this so you don’t miss any important license adjustments.

With the IntelliJ IDEA integration, all issues detected by Qodana can be opened right in the IDE, meaning you can fix them right away. Qodana is also bundled with PhpStorm and can be easily integrated with any other JetBrains IDE.

For legal and compliance teams

Qodana’s License audit provides a report of permitted and prohibited licenses. The report is always up-to-date so you can quickly share it with the compliance and legal departments or have employees access it directly. Qodana will also notify you about license updates. This slashes time and effort in preparing for audit checks and proving GPL compliance.

For managers

Qodana integrates with GitHub, GitLab, TeamCity, Jenkins and other CI/CD pipelines, so you can make license auditing an essential part of your release process and mitigate compliance risks before your code goes to production.

We’ve created a playground that allows you to see Qodana in action. To open the playground, use the following link https://qodana.teamcity.com, select the Login as guest option, and check License Audit Examples project.

To learn more about Qodana’s License audit, check out our documentation.

If you have any questions or suggestions regarding Qodana, post a comment here, tag us on Twitter or contact us at qodana-support@jetbrains.com.

Your Qodana team