Open Source, Hidden Costs: A Systematic Literature Review on OSS License Management

TL;DR

This paper systematically reviews 80 studies on open-source software license management, highlighting current challenges, research gaps, and future directions to improve legal and operational handling of OSS licenses.

Contribution

It provides the first comprehensive systematic literature review on OSS license management, classifying research into key categories and offering practical recommendations.

Findings

Identification of key challenges in license management

Gaps in current license risk assessment methods

Future research directions in OSS license governance

Abstract

Integrating third-party software components is a common practice in modern software development, offering significant advantages in terms of efficiency and innovation. However, this practice is fraught with risks related to software licensing. A lack of understanding may lead to disputes, which can pose serious legal and operational challenges. To these ends, both academia and industry have conducted various investigations and proposed solutions and tools to deal with these challenges. However, significant limitations still remain. Moreover, the rapid evolution of open-source software (OSS) licenses, as well as the rapidly incorporated generative software engineering techniques, such as large language models for code (CodeLLMs), are placing greater demands on the systematic management of software license risks. To unveil the severe challenges and explore possible future directions, we conduct the first systematic literature review (SLR) on 80 carefully selected OSS license-related papers, classifying existing research into three key categories, i.e., license identification, license risk assessment, and license risk mitigation. Based on these, we discuss challenges in existing solutions, conclude the opportunities to shed light on future research directions and offer practical recommendations for practitioners. We hope this thorough review will help bridge the gaps between academia and industry and accelerate the ecosystem-wide governance of legitimate software risks within the software engineering community.