Handling Third-Party Component Licenses:A Case Study in a Swedish Company : How well do existing license management tools detect potentially unsafe third-party component licenses?

Abstract: Modern software development relies heavily on third-party components, which are pre-built software modules developed by other organisations and can be either open-source or commercial. These components serve as building blocks for developers to create complex applications more efficiently. What many do not know or realise is that all these third-party components come with licenses that might restrict the software, and it can become a challenge for companies that develop software to manage all the licenses that come with the used third-party components.This thesis investigates three third-party component license management tools: OWASP Dependency-Check, Snyk, and Debricked. The research question was:“How well can the three chosen third-party component license management tools, OWASP Dependency-Check, Snyk and Debricked detect potentially unsafe licenses within software projects?” To answer this question, controlled experiments were conducted to compare the functionality of these tools in two different projects: one advanced project, and one simple project. A comprehensive literature review was conducted to identify the lack of previous research, this provided a theoretical background for the study. The results of the controlled experiments proved that the three chosen tools can help developers in different ways as they satisfy different needs. For users looking to manage their dependencies, OWASP Dependency-Checkis a preferable option. Debricked has demonstrated its ability to detect potentially unsafe licenses in software projects and offers identification of license families. This feature can be valuable to developers as it simplifies the comprehension of the project’s licenses. Snyk, on the other hand, provided warnings about risks associated with licenses. While Debricked out-performed Snyk in license detection, Snyk still proved to be useful in identifying potentially unsafe licenses in software projects, specifically in this case. The findings of this thesis can benefit software developers, project managers, and organisations that rely on third-party components for their software development. The results of this study may be used to guide the selection and use of third-party components and the appropriate license management tools. Overall, this thesis adds to the body of knowledge on managing third-party component licenses and offers practical insights for methods of software development practices.