Open source license violation check for SPDX files

Abstract

The Open Source Software development model has gained a lot of momentum in the latest years providing organizations and software engineers with a variety of software, components and libraries that can be exploited in the construction of larger application systems. Open Source Software is accompanied by licenses that state the conditions under which the intellectual property can be used. Since not all licenses are governed by the same conditions of use, the correct combination of licenses is vital, when different libraries are exploited in newly developed application systems. If this is not adequately handled, license violations might be a consequence of incompatibilities. In this paper we present our work on license violation checking in the framework of Software Package Data Exchange (SPDX). Starting from the modelling of license compatibilities our approach examines potential violations in software package information formatted using the SPDX specification. At the same time alternative solutions in the form of applicable licenses for the software package are proposed. This approach can be a valuable asset for Open Source practitioners in the license decision process assisting in detecting possible violations and in making suggestions on license use.