Article

Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks

Authors:

Reuse and Software Quality: 20th International Conference on Software and Systems Reuse, ICSR 2022, Montpellier, France, June 15–17, 2022, Proceedings

Pages 85 - 100

https://doi.org/10.1007/978-3-031-08129-3_6

Published: 15 June 2022 Publication History

Abstract

It can be challenging to manage an open source package from a licensing perspective. License violations can be introduced by both direct and indirect package dependencies, which evolve independently. In this paper, we propose a license compatibility matrix as the foundation for a tool that can help maintainers assess the compliance of their package with the licenses of its dependencies. Using this tool, we empirically study the evolution, popularity, and compliance with dependency licenses in the npm and RubyGems software package ecosystems. The size of the corresponding dependency networks renders verifying license compliance for indirect dependencies computationally expensive. We found that 7.3% of npm packages and 13.9% of RubyGems have direct or indirect dependencies with incompatible licenses. We also found that GPL dependencies are the major cause for incompatibilities. Our results provide a good understanding of the state of license incompatibilities in software package ecosystems, and suggest that individual ecosystems can differ significantly in this regard.

References

[1]

Kapitsaki GM, Kramer F, and Tselikas ND Automating the license compatibility process in open source software with SPDX J. Syst. Softw. 2017 131 386-401

Crossref

Google Scholar

[2]

Gangadharan GR, D’Andrea V, De Paoli S, and Weiss M Managing license compliance in free and open source software development Inf. Syst. Front. 2012 14 2 143-154

Crossref

Google Scholar

[3]

Wheeler, D.A.: The free-libre/open source software (floss) license slide, September 2007

Google Scholar

[4]

Kapitsaki GM, Tselikas ND, and Foukarakis IE An insight into license tools for open source software systems J. Syst. Softw. 2015 102 72-87

Crossref

Google Scholar

[5]

Kechagia, M., Spinellis, D., Androutsellis-Theotokis, S.: Open source licensing across package dependencies. In: 2010 14th Panhellenic Conference on Informatics, pp. 27–32. IEEE (2010)

Google Scholar

[6]

Qiu S, German DM, and Inoue K Empirical study on dependency-related license violation in the javascript package ecosystem J. Inf. Process. 2021 29 296-304

Google Scholar

[7]

Decan A and Mens T What do package dependencies tell us about semantic versioning? IEEE Trans. Softw. Eng. 2019 47 6 1226-1240

Crossref

Google Scholar

[8]

Michaeli, S.: Top 10 open source software licenses of 2016 and key trends. https://resources.whitesourcesoftware.com/blog-whitesource/top-10-open-source-software-licenses-of-2016-and-key-trends. January 2017

Google Scholar

[9]

Balter, B.: Open source license usage on github.com. https://github.blog/2015-03-09-open-source-license-usage-on-github-com/. March 2015

Google Scholar

[10]

Openbsd Copyright Policy. https://www.openbsd.org/policy.html

Google Scholar

[11]

Reid, B.: Kea to be released under mozilla public license 2.0, December 2015

Google Scholar

[12]

Vendome, C., Linares-Vásquez, M., Bavota, G., Di Penta, M., German, D., Poshyvanyk, D.: License usage and changes: a large-scale study of java projects on github. In: 2015 IEEE 23rd International Conference on Program Comprehension, pp. 218–228. IEEE (2015)

Google Scholar

Cited By

View all

Wu JBao LYang XXia XHu XSpinellis DConstantinou EBacchelli A(2024)A Large-Scale Empirical Study of Open Source License Usage: Practices and ChallengesProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644900(595-606)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644900
Wintersgill NStalnaker THeymann LChaparro OPoshyvanyk D(2024)“The Law Doesn’t Work Like a Computer”: Exploring Software Licensing Issues Faced by Legal PractitionersProceedings of the ACM on Software Engineering10.1145/36437661:FSE(882-905)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643766
Antelmi ATorquati MCorridori GGregori DPolzella FSpinatelli GAldinucci M(2024)Analyzing FOSS license usage in publicly available software at scale via the SWH-analytics frameworkThe Journal of Supercomputing10.1007/s11227-024-06069-x80:11(15799-15833)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1007/s11227-024-06069-x

Index Terms

Prevalence and Evolution of License Violations in npm and RubyGems Dependency Networks

Index terms have been assigned to the content through auto-classification.

Recommendations

On the impact of security vulnerabilities in the npm and RubyGems dependency networks
Abstract
The increasing interest in open source software has led to the emergence of large language-specific package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to vulnerabilities that may ...
Automating the license compatibility process in open source software with SPDX

We automate the process of license compatibility compliance.We consider the emerging Software Package Data Exchange (SPDX) specification.License detection is an important step in the license compatibility process.We use a testing set with open source ...
Helping or not helping? Why and how trivial packages impact the npm ecosystem
Abstract
Developers often share their code snippets by packaging them and making them available to others through software packages. How much a package does and how big it is can be seen as positive or negative. Recent studies showed that many packages ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

Reuse and Software Quality: 20th International Conference on Software and Systems Reuse, ICSR 2022, Montpellier, France, June 15–17, 2022, Proceedings

Jun 2022

151 pages

ISBN:978-3-031-08128-6

DOI:10.1007/978-3-031-08129-3

Editors:
Gilles Perrouin
University of Namur, Namur, Belgium
,
Naouel Moha
École de Technologie Supérieure, Montreal, QC, Canada
,
Abdelhak-Djamel Seriai
University of Montpellier, Montpellier, France

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 15 June 2022

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Wu JBao LYang XXia XHu XSpinellis DConstantinou EBacchelli A(2024)A Large-Scale Empirical Study of Open Source License Usage: Practices and ChallengesProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644900(595-606)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3644900
Wintersgill NStalnaker THeymann LChaparro OPoshyvanyk D(2024)“The Law Doesn’t Work Like a Computer”: Exploring Software Licensing Issues Faced by Legal PractitionersProceedings of the ACM on Software Engineering10.1145/36437661:FSE(882-905)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643766
Antelmi ATorquati MCorridori GGregori DPolzella FSpinatelli GAldinucci M(2024)Analyzing FOSS license usage in publicly available software at scale via the SWH-analytics frameworkThe Journal of Supercomputing10.1007/s11227-024-06069-x80:11(15799-15833)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1007/s11227-024-06069-x
Xu WHe HGao KZhou MBissyandé TKlein JBird CSarro F(2023)Understanding and Remediating Open-Source License Incompatibilities in the PyPI EcosystemProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00175(178-190)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00175

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

On the impact of security vulnerabilities in the npm and RubyGems dependency networks

Automating the license compatibility process in open source software with SPDX

Helping or not helping? Why and how trivial packages impact the npm ecosystem