Gartner estimates that 99% of companies will be using open-source software components in their software packages by 2015, and it is because of this that Mark Driver, research vice president for Gartner, believes enterprise organizations need to understand what risks exist and how to mitigate them.

Open-source software is not free, is governed by a variety of different licenses, and comes in packages that can contain several different components, which can all have different licenses. Enterprise companies are sometimes unable to parse through the information associated with open-source software packages because of how many layers are included in each package, according to Driver.

The Linux Foundation, along with several other organizations and software companies, is working on a machine-readable license packaging standard called SPDX, which will help determine what licenses and software components are associated with each package. Originally reported in May, this standard is being supported by a variety of code-scanning companies, like Black Duck and Protecode, which provide programs that allow vendors to scan their software during the production phase to ensure that whatever is deployed to end users is licensed appropriately.

Sonatype joined these companies today with the release of Sonatype Insight, a software suite that includes Management Insight, Application Insight and Development Insight.
These tools provide an analysis of what types of open-source software enterprises are using in their software packages, and they also show where the software came from and what licensing should be used. These solutions also provide a view into what, if any, software already installed on enterprise servers can potentially clash with the new open-source software, thereby limiting the risk of a system failure or other potential business loss.

Larry Roshfeld, executive vice president at Sonatype, said developers often bring open-source software into the company’s products and in-house tools without telling C-level executives. Insight can provide a licensing overview to those C-level executives.

“Sonatype’s tool monitors the white list through the process before the build,” Roshfeld said, referring to a list of open-source packages or components that are approved. It then provides a way to monitor the packages as development teams continue through the development cycle.

The interactive portal can be customized for different levels of the development organization and different members of the development team.