We are excited to announce the immediate availability of WhiteSource’s new attribution report. Our attribution report gives you insight into the compliance requirements of your open source components, including detailed data on your licenses, copyrights, and notices.
WhiteSource’s new attribution report features numerous enhancements to the overall user experience. Users can easily generate detailed reports containing comprehensive open source compliance information tailored to their needs.
Why You Need an Attribution Report
Even though open source software (OSS) is freely available, it still operates under a software license. While there are a number of different open-source licenses, they come in two main flavors:
- Copyleft -- a more restrictive license that gives you permission to use and modify open source code as long as you make any derivative work freely and openly available.
- Permissive -- a less restrictive license that places only minimal limitations on how the software can be used, modified, and redistributed in derivative code.
When using open source code, you need to make sure you comply with open source license requirements. Not complying carries a significant legal risk. It puts your company in violation of copyright laws, which in the US carries a fine up to $150,000 per violation.
Most open source licenses legally require you to give credit -- or attribution -- to the authors of the original code in any derivative work. Organizations distributing a product that uses open source components need to be able to produce an attribution report that lists the required information about all of the licenses, copyrights, and notices pertaining to the open source components.
Compliance Challenges and the Need for Automation
Ensuring you’re compliant with your open source licenses is more challenging than it might initially seem. It requires you to understand how every open source component in your inventory is licensed and what you need to do to meet the terms of each license. This is a huge undertaking when you consider how many open source libraries and their dependencies are in your code base.
As mentioned earlier, licenses have attribution requirements which involve a lot of data, including copyrights, notices, and original license text. Not only is this impossible to manage manually from a volume perspective, but the developer making the decision of whether to include an open source library in the software doesn’t necessarily have the legal knowledge to ensure compliance. Automating this function is the perfect solution.
Using an automated software composition analysis (SCA) tool like WhiteSource takes the guesswork out of open-source compliance. Organizations are able to easily detect and track their open source components, and associate the correct license for both direct and transitive dependencies to produce a comprehensive and up-to-date attribution report.
The WhiteSource Attribution Report
WhiteSource’s attribution report gives you an easy and intuitive way to publish and distribute compliance data on each of your open-source components.
WhiteSource gathers compliance information including licenses, copyrights, and notices from files found within open-source libraries, the package manager distributing each library, and linked GitHub repositories or other reliable sources external to the package manager. WhiteSource’s attribution report captures both source files and binary components.
The attribution report has been streamlined from a user experience perspective. You now have the ability to pick and choose which data to include in the report by using a combination of filters and column selectors. You can also define your preferences on how to consume your data, with a mix of both basic and advanced options, such as how the data should be grouped (e.g., by library/project) and what file format the report should be exported to (e.g., .txt/.html/.json) to name just a few.
Some of the other new features that were added to the attribution report include the following:
- Selection of which fields to include/exclude from the report.
- Filtering of both the preview table and exported report.
- Inclusion of custom attributes
- Automatic removal of fields containing empty values
As with earlier versions of the attribution report, full original license text is still displayed in the report.
Say Goodbye to Manual Tracking
The increased use of open source code in enterprise applications creates a unique set of demands on organizations. The additional responsibility of managing open source license compliance is too cumbersome for developers and legal teams to track manually.
WhiteSource’s enhanced attribution report gives you even more power and flexibility to produce a comprehensive report detailing your open source compliance information. Enhanced visibility and automation enable you to easily create an attribution report tailored to your needs that you can distribute to your stakeholders, customers, and users.