Empirical Study on Dependency-related License Violation in the JavaScript Package Ecosystem

: Open source software (OSS) is software whose source code can be reused under some particular terms and conditions. These terms and conditions are usually described by one or more software licenses written in the header part of the source files. A license may violate another one according to the terms and conditions. Making software by reusing OSS as dependency may cause dependency-related license violation if the developers overlook the license of the dependency. In this paper, we first conduct an empirical study on npm - a JavaScript-based software ecosystem - to study the prevalence of dependency-related license violation. The result suggests that only a few packages (0.644%) in npm have dependency-related license violations. However, we also observe that including the packages licensed under copyleft licenses in the dependency network potentially causes a high dependency-related license violation. We then conduct a preliminary questionnaire on the authors of packages detected as having dependency-related license violations to study the developers’ attitudes. The results reveal: 1) the developers’ overlooking and misunderstanding of the dependency-related license violations; 2) the di ffi culties in managing dependency-related license violations and the developers’ demands for help.

[1]  Thomas A. Standish An Essay on Software Reuse , 1984, IEEE Transactions on Software Engineering.

[2]  Tom Mens,et al.  An empirical comparison of dependency network evolution in seven software packaging ecosystems , 2017, Empirical Software Engineering.

[3]  Barry W. Boehm,et al.  Improving Software Productivity , 1987, Computer.

[4]  Gabriele Bavota,et al.  How the Apache community upgrades dependencies: an evolutionary study , 2014, Empirical Software Engineering.

[5]  Katsuro Inoue,et al.  A sentence-matching method for automatic license identification of source code files , 2010, ASE.

[6]  Christopher Vendome,et al.  Assisting Developers with License Compliance , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[7]  Tommi Kärkkäinen,et al.  Automated software license analysis , 2009, Automated Software Engineering.

[8]  Gabriele Bavota,et al.  License Usage and Changes: A Large-Scale Study of Java Projects on GitHub , 2015, 2015 IEEE 23rd International Conference on Program Comprehension.

[9]  Daniel M. Germán,et al.  Tracing software build processes to uncover license compliance inconsistencies , 2014, ASE.

[10]  Romain Robbes,et al.  The Small Project Observatory: Visualizing software ecosystems , 2010, Sci. Comput. Program..

[11]  Daniel M. Germán,et al.  Code siblings: Technical and legal implications of copying code between applications , 2009, 2009 6th IEEE International Working Conference on Mining Software Repositories.

[12]  Daniel M. Germán,et al.  A Method for Open Source License Compliance of Java Applications , 2012, IEEE Software.

[13]  Daniel M. Germán,et al.  Understanding and Auditing the Licensing of Open Source Software Distributions , 2010, 2010 IEEE 18th International Conference on Program Comprehension.

[14]  Katsuro Inoue,et al.  A Method to Detect License Inconsistencies in Large-Scale Open Source Projects , 2015, 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories.

[15]  Katsuro Inoue,et al.  Do developers update their library dependencies? , 2017, Empirical Software Engineering.

[16]  Lu Zhang,et al.  Automatic checking of license compliance , 2010, 2010 IEEE International Conference on Software Maintenance.

[17]  Georgia M. Kapitsaki,et al.  Automating the license compatibility process in open source software with SPDX , 2017, J. Syst. Softw..

[18]  Walt Scacchi,et al.  Intellectual Property Rights Requirements for Heterogeneously-Licensed Systems , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[19]  Georgios Gousios,et al.  Structure and Evolution of Package Dependency Networks , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[20]  Gabriele Bavota,et al.  License usage and changes: a large-scale study on gitHub , 2017, Empirical Software Engineering.

[21]  Robert Gobeille,et al.  The FOSSology project , 2008, MSR '08.

[22]  Daniel M. Germán,et al.  An exploratory study of the evolution of software licensing , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.