Go to developer forums, Youtube channels and blog posts, and you’ll find endless conversations about copying and pasting code. The discussion revolves around whether this practice is a lazy form of code development or whether it will cause problems with achieving the desired outcome. They discuss if it will take longer to fix the bugs due to copying rather than writing it themselves. Copying and pasting code from the internet is a common practice in computer programming.
In 2016 a developer that was employed by Nissan got caught when a verbatim Stack Overflow answer appeared in an app update for the NissanConnect EV mobile app. Their quality assurance team missed this one line of code and deployed it as an update. What did this say to Nissan customers at the time? It doesn’t instill confidence in the company’s brand and that perception can have damaging effects for years.
How many companies have the appropriate software to catch this? How would a quality assurance department know that this code would cause this error just by running a quality test on the update? They wouldn’t. Speak to a developer about this incident and their response is based on how this situation affects the software they are writing because that is their world. Most don’t take into account how this could open the door for lawsuits, both against their employer and in some incidents against themselves.
There are several issues with copying and pasting open source code. Some open source licenses are viral. Developers should have an accurate understanding of this term. “Viral” licenses, also referred to as, “copyleft” licenses, requires anyone who distributes the code to allow the new version to be open source as well.
The GNU GPL does not require you to release your modified version. You can modify it and use it privately, but if you decide to distribute the modified version to the public for any purpose, then you are required to make the modified source code available under the GPL license. If developers release the modified code without following this basic rule, then you are violating the terms of the open-source license, and therefore you are in breach of copyright law. The GPL has several more requirements, that require an in-depth knowledge of the license.
Copyright law violations can be expensive for companies or put them out of business. According to Purdue University, the law provides penalties of $200-$150,000 per infringement. The company can be held liable for damages and all legal costs of the original Author, plus be forced to stop using the software.
A company must take this threat seriously. Extracting the code found to be in violation, after product completion and distribution will result in costly remedial distribution and engineering modifications. The temptation for developers to copy and paste without proper adherence to software licensing is a daily occurrence. They are often required to meet deadlines and don’t hesitate to take shortcuts.
If the code that developers are copy and pasting is in the public domain, then the copyright has expired or the copyright holders have released it to the public. In this case, the work is not covered by copyright law. It would still be beneficial to leave a statement in the code providing proper attribution, as this will be useful for future developers downstream. Do not claim that your company owns the copyright on the public domain code.
According to fairuse.stanford.edu, The U.S Supreme Court states that there is no legal requirement to provide any attribution when public domain works are copied and placed in new works. (Dastar Corp. v. 20th Century Fox Film Corp., 123 S.Ct. 2041 (2003). But you can still be held personally responsible for plagiarism by your company if you pose as the original author. You can not be sued by the original author of the public domain license for plagiarism, but you can lose your job as a consequence.
Open-source software can be hugely beneficial in saving time for developers, but it is very important to understand the conditions and limitations of the license and to follow them carefully. If you break those requirements, you are putting your company’s existence and reputation at risk.
Threatrix.io software can discover your open source vulnerabilities, even on compiled binaries. Your company will have knowledge of developer breaches and do what is necessary to protect itself from lawsuits.
Threatrix is the only solution that can accurately detect embedded assets(snippets of open source code) within your intellectual property and report on the license risks associated with the projects from which they were plagiarized. We can determine the exact version of the file from which an embedded asset was taken. This is critical as many projects today are converting from permissive to commercial or viral licenses.
Our solution creates a bill of materials that consists of all of the components that developers use in your software supply chain. From that bill of materials, we can derive licenses and vulnerabilities and automate both the remediation of those vulnerabilities and compliance with the licenses. We can enforce both legal and security policies to ensure that you release secure & legally compliant software.
