Reusing open source code is common nowadays − developers are frequently copying code fragments, files, or components from one system to another for reasons such as adding features from existing systems or fixing bugs using known and tested implementations.  Some recent research developments have focused on creating solutions to support these tasks; however, they are missing one important legal dimension: license compliance, if not satisfied, can create a number of severe legal consequences.  In fact, copying code without the approval of the copyright holder is generally prohibited.  For example, a US court ruled that even copying 25 out of 500KLOC could be considered a copyright infringement.  The problem is exacerbated by the fact that software developers frequently are not aware of the associated legal risks and their companies may not have specific policies and guidelines on this account.  

Open source software (comprising all the artifacts, not only the source code) is a system that is licensed under some open source license, which makes code or components available for creating derivative works based on it.  The open source licensing process is a vehicle for the licensor to grant certain rights to the licensee that would else be prohibited, such as the right to make, edit, and distribute copies.  In exchange for these rights, the licensee must abide by the requirements and constraints that such licenses entail.  There are numerous such Open Source Initiative approved licenses as of today, and they vary considerably in the constraints that they impose. What is even more challenging is that these licenses, their constraints and requirements, the components governed by them, and the software systems are all continually evolving.  However, at any given time, any software must satisfy all the requirements for each license of the components it reuses. Another growing challenge is to ensure license compatibility of the overall system with the licenses of each of its components, libraries, and even the tools it uses.  This requires a sophisticated analysis of the overall system's architecture, environment, and licenses to detect if overall licenses contradict any of its constituents’ licenses.  Moreover, this analysis needs to be done continually as software, dependencies, licenses, and their requirements evolve asynchronously.  

To address this issue, the project (1) defined and evaluated a unified model for establishing the provenance of components, detecting their licenses, and verifying legal licensing compliance concerns using novel combinations of Information Retrieval, Mining Software Repositories, internet-scale source code search, and static analysis approaches to detect origins of software components, (2) defined and instantiated new methodologies to support specific development and maintenance tasks, and (3) performed empirical case studies to evaluate techniques and methodologies; and (4) created and maintained a repository of software artifacts and analysis data to support rigorously controlled experimentation and benchmarking in the research community. Some of the broader impacts from this project include (1) improving the state-of-the-practice in software development that faces difficulties in ensuing legal licensing compliance challenges (2) demonstrating improved licensing practices, (3) developing educational course content and piloting it in our courses as part of this research proposal, and (4) actively involving underrepresented categories of students in this research program.

The resulting work has been published in several high-quality software engineering conferences and journals (some gaining best result recognition).  A number of undergraduate and graduate students, including a minority doctoral student, were trained and became contributing members on this project.  Several of these students co-authored and presented papers at international conferences.  Multiple graduate-level theses were derived from this project. The students graduating from this program have secured full-time employment in academia and software industry. The gained scientific knowledge was integrated in multiple undergraduate and graduate classes at the host institutions, which broadens STEM education.  ACM/IEEE Software Engineering Curriculum Guidelines identified software evolution among the ten key areas of SE education. A number of open-source software tools were developed and are made available publicly.  The data repositories resulting from this project are made accessible to the scientific community and general public through the PI’s web site. The project enhanced and strengthened a long-term professional collaboration not only between the PI and his students but also multiple collaborators involved.  The computing infrastructure established during the course of the project permits the sustainability of its resources.

Last Modified: 01/15/2019
Modified by: Denys Poshyvanyk