Open Source, Hidden Costs: A Systematic Literature Review on OSS License Management

• URL: http://arxiv.org/abs/2507.05270v2
• Date: Thu, 10 Jul 2025 15:37:05 GMT
• Title: Open Source, Hidden Costs: A Systematic Literature Review on OSS License Management
• Authors: Boyuan Li, Chengwei Liu, Lingling Fan, Sen Chen, Zhenlin Zhang, Zheli Liu,
• Abstract summary: Integrating third-party software components is a common practice in modern software development.<n>A lack of understanding may lead to disputes, which can pose serious legal and operational challenges.
• Score: 10.002122950923967
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Integrating third-party software components is a common practice in modern software development, offering significant advantages in terms of efficiency and innovation. However, this practice is fraught with risks related to software licensing. A lack of understanding may lead to disputes, which can pose serious legal and operational challenges. To these ends, both academia and industry have conducted various investigations and proposed solutions and tools to deal with these challenges. However, significant limitations still remain. Moreover, the rapid evolution of open-source software (OSS) licenses, as well as the rapidly incorporated generative software engineering techniques, such as large language models for code (CodeLLMs), are placing greater demands on the systematic management of software license risks. To unveil the severe challenges and explore possible future directions, we conduct the first systematic literature review (SLR) on 80 carefully selected OSS license-related papers, classifying existing research into three key categories, i.e., license identification, license risk assessment, and license risk mitigation. Based on these, we discuss challenges in existing solutions, conclude the opportunities to shed light on future research directions and offer practical recommendations for practitioners. We hope this thorough review will help bridge the gaps between academia and industry and accelerate the ecosystem-wide governance of legitimate software risks within the software engineering community.

Related papers

• Does Machine Unlearning Truly Remove Model Knowledge? A Framework for Auditing Unlearning in LLMs [58.24692529185971]
  We introduce a comprehensive auditing framework for unlearning evaluation comprising three benchmark datasets, six unlearning algorithms, and five prompt-based auditing methods.<n>We evaluate the effectiveness and robustness of different unlearning strategies.
  arXiv  Detail & Related papers  (2025-05-29T09:19:07Z)
• Open Source at a Crossroads: The Future of Licensing Driven by Monetization [9.920603494655682]
  Open Source Software Licenses (OSS licenses) ensure that software can be sold or distributed as part of aggregate programs from various sources without requiring a royalty or fee.<n>We argue that open source is at a crossroads, with a growing need to redefine its licensing models and support communities and critical software.
  arXiv  Detail & Related papers  (2025-03-04T17:44:01Z)
• An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries [52.23798016734889]
  This article provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries. The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges.
  arXiv  Detail & Related papers  (2024-09-27T16:20:20Z)
• Agent-Driven Automatic Software Improvement [55.2480439325792]
  This research proposal aims to explore innovative solutions by focusing on the deployment of agents powered by Large Language Models (LLMs) The iterative nature of agents, which allows for continuous learning and adaptation, can help surpass common challenges in code generation. We aim to use the iterative feedback in these systems to further fine-tune the LLMs underlying the agents, becoming better aligned to the task of automated software improvement.
  arXiv  Detail & Related papers  (2024-06-24T15:45:22Z)
• A Survey of Third-Party Library Security Research in Application Software [3.280510821619164]
  With the widespread use of third-party libraries, associated security risks and potential vulnerabilities are increasingly apparent. Malicious attackers can exploit these vulnerabilities to infiltrate systems, execute unauthorized operations, or steal sensitive information. Research on third-party libraries in software becomes paramount to address this growing security challenge.
  arXiv  Detail & Related papers  (2024-04-27T16:35:02Z)
• "The Law Doesn't Work Like a Computer": Exploring Software Licensing Issues Faced by Legal Practitioners [7.323456975282423]
  We conducted a survey with 30 legal practitioners and related occupations. We identified different aspects of OSS license compliance from the perspective of legal practitioners. We discuss the implications of our findings.
  arXiv  Detail & Related papers  (2024-03-22T03:07:11Z)
• The WMDP Benchmark: Measuring and Reducing Malicious Use With Unlearning [87.1610740406279]
  White House Executive Order on Artificial Intelligence highlights the risks of large language models (LLMs) empowering malicious actors in developing biological, cyber, and chemical weapons. Current evaluations are private, preventing further research into mitigating risk. We publicly release the Weapons of Mass Destruction Proxy benchmark, a dataset of 3,668 multiple-choice questions.
  arXiv  Detail & Related papers  (2024-03-05T18:59:35Z)
• DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers [0.3754193239793766]
  adversaries utilize Social Engineering (SocE) techniques specifically aimed at software developers. This paper aims to comprehensively explore the existing and emerging SocE tactics employed by adversaries to trick Software Engineers (SWEs) into delivering malicious software.
  arXiv  Detail & Related papers  (2024-02-28T15:24:43Z)
• Catch the Butterfly: Peeking into the Terms and Conflicts among SPDX Licenses [16.948633594354412]
  Third-party libraries (TPLs) in software development has accelerated the creation of modern software. Developers may inadvertently violate the licenses of TPLs, leading to legal issues. There is a need for a high-quality license dataset that encompasses a broad range of mainstream licenses.
  arXiv  Detail & Related papers  (2024-01-19T11:27:34Z)
• Lessons from Formally Verified Deployed Software Systems (Extended version) [65.69802414600832]
  This article examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use. It considers the technologies used, the form of verification applied, the results obtained, and the lessons that the software industry should draw regarding its ability to benefit from formal verification techniques and tools.
  arXiv  Detail & Related papers  (2023-01-05T18:18:46Z)
• Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
  Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
  arXiv  Detail & Related papers  (2020-10-19T13:09:31Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.