Black Duck tool aims to bolster licensing compliance

Von Todd R.

Black Duck Software Inc. Monday unveiled a hosted, on-demand service designed to help companies that use open-source and proprietary software side by side check license compliance, intellectual property rights and development integrity.

The company"s protexIP/OnDemand hosted service allows users to analyze code in their applications and compare it to a code-compliance database to ensure that they are properly using their open-source software along with their proprietary applications as outlined in licensing agreements.

In an announcement today, the Waltham, Mass.-based software compliance management vendor said its hosted service will give small to midsize companies tighter control over the use and development of applications by giving them the ability to analyze the code.

"There are certain conditions that proprietary software vendors place on the use of proprietary code," including prohibitions against using it alongside open-source code, said Doug Levin, CEO of Black Duck. Other vendors have licensing conditions that must be met, including attribution for the use of the code.

The new protexIP/OnDemand service allows a single user to do a Web-based analysis of up to 10MB of code starting at US$3,000. The analysis can be done in one 10MB session or in multiple sessions adding up to 10MB of data. The hosted application is similar to Black Duck"s existing full protexIP/development edition, which runs on a company"s server within the corporate firewall. That application, released last May, starts at $25,000 for one server and an unlimited number of users.

The new hosted service allows smaller companies to do the same analysis at less cost, according to Black Duck.

Targeted users include independent software vendors, technology vendors and companies performing due diligence work as part of mergers and acquisitions and other actions, Levin said. By helping users find whether there is any open-source software in their code bases -- and if so, whether it"s properly licensed -- the hosted application can save them legal hassles later, he said.

The software can recognize code from thousands of open-source programs that may have been inserted into user"s source code -- even small blocks of code or code that has been modified. It then identifies the license associated with the open-source code from a database of hundreds of license types and highlights potential conflicts between that license and other license restrictions or business policies. Finally, it creates a "punch list" of the issues for review by the company"s legal counsel and software engineers.

The on-demand version of the software was developed in response to customer requests, Levin said. "Some users are buying into the IBM on-demand vision, while others are smaller companies that are price-sensitive and wanted to run their code through the system once a year," he said.

Two users said the service has been useful.

Gwyn Fisher, senior vice president of products at Toronto-based Tira Wireless Inc., a developer of software for wireless devices, said his company used the beta version of protexIP/OnDemand to analyze a new workflow management application it has assembled and will now sell. Originally, Tira Wireless hired outside counsel to analyze code in the Java-based application, which was written using a multitude of open-source code picked up online and elsewhere. But Tira executives still weren"t satisfied that the code was well reviewed, so they contacted Black Duck.

Black Duck is funded by a company that also funds Tira.

"We wanted to be sure," Fisher said. "It found everything we expected it to find, obviously, but it also found other things," such as snippets of code the outside counsel wasn"t qualified to check. "As it turned out, we were OK," he said. "It could have been horrendous."

The best part of the service, Fisher said, is that it "disregards what you say you"ve got and looks at what you"ve actually got. It was priceless."

Bernard Golden, CEO of Navica Inc., an open-source consultancy in San Carlos, Calif., and the author of the book, Succeeding With Open Source, said he has used the beta service on behalf of clients to analyze their application code. "From our perspective, it"s a lot easier and and more convenient" to use the on-demand version since it doesn"t have to be installed by a company"s IT team.

"We use this for clients who tend to be more cautious or want more risk assessment," he said.

Dan Kusnetzky, an analyst at market research company IDC in Framingham, Mass., said the service is likely to be useful for smaller companies that want to be sure of their software. "It would be very easy for a developer to pick up some software in a library someplace and use it unintentionally," he said. "If someone considers the potential exposure to litigation ... this might be a very wise investment for a company," compared to paying legal fees in a code dispute case later.

Amy Wohl, an analyst at Wohl Associates in Narbeth, Pa., agreed. "Increasingly, I think both (independent software vendor) and user customers are concerned about knowing the content and the ownership in their software," whether it is in-house or third-party applications, she said. Often, executives aren"t aware of how developers find code and put it into their applications. This service can help clear up some of that mystery and make companies more aware of what they have.

Several companies such as Black Duck began sprouting up soon after Unix vendor The SCO Group Inc. filed its still-pending, $5 billion lawsuit against IBM Corp. in March 2003. The SCO lawsuit claims that IBM illegally contributed some of SCO"s Unix System V source code to the Linux open-source project.