This section will introduce you to the Licenses tab in Kiuwan Insights. 

Contents

Licenses Inventory

Kiuwan Insights informs you about the license type of every 3rd party component used in your application.

Are you aware of the legal licensing implications of using those 3rd party components?

  1. When using 3rd components, is my software infringing on some legal aspects?
  2. How the use of 3rd party components does affect my own licensing?

 Kiuwan Insights helps you to answer these important questions based on information provided on licenses that apply to the components used in your software.

Software Licenses

Kiuwan Insights inspects your source code’s external components to discover their license.

Software licensing is primarily based on the legal concept of copyright.

  • Copyright: Legal right created by the law of a country, that grants the creator of an original work ("copyright holder") exclusive rights for its use and distribution (during a limited time). Under many countries (UE, EU...) all software is copyright protected, in source and object code form. The copyright holder is typically the work's creator or employer, or a publisher or other business to whom copyright has been assigned.

Consequently, Copyright Infringement is the use of works protected by copyright without permission, infringing certain exclusive rights granted to the copyright holder, such as the right to reproduce, distribute, display or perform the protected work, or to make derivative works.

A Software License is a legal instrument (usually by way of contract law) governing the use or redistribution of software. A software license grants the licensee (typically an end-user) permission to use one or more copies of software. Without a software license, the use of the software would constitute copyright infringement of the software owner's exclusive rights under copyright law.

As you could read further in this document, two common categories of licenses are proprietary software and free and open source software (FOSS).

Proprietary licenses are, of course, property of the copyright holder. But FOSS licenses are widely used and there are several standards for communicating components, licenses, and copyrights associated with software packages. 

Kiuwan Insights adheres to SPDX (Software Package Data Exchange®, https://spdx.org) to report the components’ licensing name and related information.Licenses Types

Kiuwan Insights categorizes any license according to its copyright content so you can easily visualize its type regarding copyrights.

 Most software can be categorized according to its license type.

Two common categories are proprietary software and free and open source software (FOSS).

The distinct conceptual difference between them is the granting of rights to modify and re-use the software product by the user:

  • Free and open-source software (FOSS) grants any user to use, copy, study, and change the software in any way, and the source code is openly shared.
  • Proprietary software is computer software for which the software's publisher retains intellectual property copyrights (usual copyright of the source code), the source code is usually hidden from the users and typically does not grant the above rights. In proprietary software, an end-user license agreement (EULA) is the contract between the licensor and purchaser, establishing the purchaser's rights on the software. The license may define ways under which the copy can be installed, used, executed, archived, re-sold, backed-up, etc.

Software licenses in the context of copyright according to Mark Webbink (see article).

  • Public Domain: free of all restrictions
  • Non­Protective (or Permissive): retain copyright but grant all rights to copyright the licensee
  • Protective (or Copyleft): non-­protective plus restrictions (typically requirement to publish source code)
  • Proprietary: retain a copy and grant few rights (specific terms of use in an end-user license agreement - EULA)
  • Trade Secret: all rights retained

License Types

Kiuwan Insights inspects your software source code to fetch the license type for all 3rd party components.

The Kiuwan License Engine analyzes the app’s code, identifies the components and extracts license information from several sources (license .txt files, repository information, etc).

After gathering relevant information, Kiuwan categorizes the component’s license under the following types (ordered from most permissive to less):

  • PublicDomain
  • Permissive
  • WeakCopyleft
  • Copyleft
  • Copyrighted
  • Proprietary
  • Unknown

For easy and efficient identification of such licenses, Kiuwan matches the gathered information against SPDX License List (https://spdx.org/licenses/) and provides links to the explanatory description as well as license text.

For those cases that a license is found but cannot be matched to any of the above lists, Kiuwan assigns that license the Unknown type. These cases require manual intervention.



Examples

PublicDomain

PublicDomain licenses are related to software that has been placed in the public domain.

The software in the public domain can be modified, distributed, or sold even without any attribution by anyone; this is unlike the common case of software under exclusive copyright, where software licenses grant limited usage rights

There is no copyright, trademark or patent on the work at all. You can do anything with public domain software if the software has been explicitly released to the public domain

  • BSD Zero Clause ("0BSD") 
  • Creative Commons Zero v1.0 Universal 
  • Sax Public Domain Notice

Permissive

A permissive software license is a free software license with minimal requirements about how the software can be redistributed: basically, you can do just about anything as long as you provide attribution (acknowledgment) and don’t sue the author.
  • MIT
  • X11
  • BSD (2-3-4)
  • Apache

Copyleft

Copyleft (a play on the word copyright) is the practice of offering people the right to freely distribute copies and modified versions of a work with the stipulation that the same rights be preserved in derivative works down the line.

Under copyleft, an author may give every person who receives a copy of the work permission to reproduce, adapt or distribute it, with the accompanying requirement that any resulting copies or adaptations are also bound by the same licensing agreement.

This is done to prevent the software from becoming proprietary.

  • GNU General Public License (GPL v2+, v3+) (FOSS)
  • Share-Alike (Creative Commons)

WeakCopyleft

A WeakCopyleft software license is weakly protective, a trade-off between Permissive and Copyleft. This type of license prevents the component (often a software library) from becoming proprietary, yet permitting it to be part of a larger proprietary program.


  • GNU Lesser General Public License (LGPL)
  • Mozilla Public License 1.1
  • Common Development and Distribution License 1.1 

Copyrighted

IMPORTANT: Since the Berne Convention (1988), which most countries have signed, all works are by default copyright protected and need to be actively given into public domain by a waiver statement, or an explicit license must be provided.

When there is no explicit license... a full, intact, copyright is retained. When Kiuwan does not find any licensing information for a public component, the Copyrighted type is assigned to that component.

Contrary to popular belief, distributed unlicensed software (not in the public domain) is fully copyright protected, and therefore legally unusable (as no usage rights at all are granted by a license) until it passes into the public domain after the copyright term.

Software projects which are placed on public software repositories like GitHub, without a specified license

Proprietary

Proprietary is any commercial license from a software vendor granted to a final user through a signed end-user license agreement (EULA).

 What are exactly the differences between Copyleft and WeakCopyleft license types?

Both license types are closely related. In both cases, you have obligations to distribute source code under certain conditions. Where they differ is in the scope of code to be distributed.

If your software using the component keeps private and you do not distribute code or binary to a 3rd party, then you have no obligation to make the source code available. The obligation becomes effective if you give your software (plus the component) to a 3rd party. 

The basic difference between Copyleft and WeakCopyleft is the scope of impact when it comes to the case of derivative works. 

  • Copyleft impacts derivative works -- those that are not independent or separate from the original code. 
  • WeakCopyleft excludes the category of dependent work that uses but is not based on the original work from the license obligations. 

An example would make the difference more clear:

  • You use a copylefted component (CLeft-Comp) in your software (Sw), compile them and create final software (CLeft-Sw).
    • If you distribute CLeft-Sw to a 3rd party, then you must make available the complete source code (any modifications you made to Cleft-comp plus the code of Sw).
  • Instead, you download the same component but weak copylefted (WCLeft-Comp) and you use it to create WCLeft-Sw.
    • If you distribute the WCLeft-Sw binary to a 3rd party, then you must make available WCLeft-Comp source code, but you do not have to make available WCLeft-Sw source code (unless it is based on WCLeft-Comp, in which case you do).

This is a broad general theory, you should read specific terms of involved licenses, but as a piece of general advice: “Pay close attention to components with a CopyLeft license”.

Overall Information on Licenses

According to the above explanation of concepts, Insights > Licenses displays overall licensing information of the components used in your application.

Overall section displays:

  • Number of Licenses by Type (according to above-described types)
  • Top-5 Used Licences (according to SPDX Licences)
  • Alert on some licenses with a High value of License Risk (CopyLeft licenses).

List of Licenses

Kiuwan Insights provides a full list of all those licenses being used by components of your application.

Kiuwan Insights adheres to SPDX (Software Package Data Exchange®, https://spdx.org) to report the components’ licensing name and related information.

For every License, you will have access to detailed information such as:

  • License:
    • Descriptive (and unique) license name, as registered at SPDX.
    • Example: “Eclipse Public License 1.0”
  • Components
    • Number of components using this specific license
  • SPDX code:
    • SPDX short license identifier (unique and immutable)
    • Example: “EPL-1.0”
  • URL:
  • License Type:
    • Type of the license according to its level of copyright (see the chapter on license types)
    • Example: "Copyleft"

License Risk

Kiuwan indicates visually by color the licenses (and involved components) that might have some legal implications.

  • Red is associated with High risk (Copyleft, Copyrighted, and Proprietary ) 
  • Green is associated with No risk (PublicDomain, Permissive and WeakCopyleft)
  • Gray (Unknown) for those licenses without a License Type.

For every license, Kiuwan Insights displays permissions, limitations, conditions, and number of components in your app that are using that license as well as the specific component name and description.


   


  • No labels