Open source software (OSS) is driving the automobile industry into the future. Automakers are looking to the advancement of integrated technology to power not just engines, but market share as well. Autonomous vehicles, sensor technology, speed monitoring, fuel efficiency tracking, diverse mobility, and social and In-Vehicle Infotainment (IVI) applications are just a few of the most recent advancements that inevitably include open source. A connected car today has between 60 and 80 computers, each dedicated to a single function. This represents between 50 and 80 million lines of software code, all coming from software packages provided by third-party software suppliers.
Like every other industry that reaps the benefits of OSS, there are license compliance issues auto manufacturers need to consider. Connectivity is certainly the end goal, but it should not outpace open source software requirements and obligations. Given all this, managing OSS license compliance in the auto industry can be a complex task.
Here are thirteen important steps automobile manufacturers should take to manage open-source licenses more effectively:
- Establish a Compliance Team: Create a dedicated team such as an Open Source Program Office (OSPO) to handle open-source compliance. This team should include experts from legal, software engineering, security, and product management, as well as include an executive sponsor. The OSPOs main focus is helping organizations develop and manage their open-source strategy by establishing and enforcing policies related to OSS and third-party component usage, licensing compliance, legal issues, OSS community engagement, contributions to OSS projects, and more.
- Understand Open-Source Licenses: Gain a deep understanding of various open-source licenses and their implications. Some licenses are more permissive, while others have strict requirements for attribution, distribution of source code, and compatibility with proprietary software.
- Inventory of Open-Source Software (OSS): Maintain a comprehensive inventory of all open-source software components used in your automotive systems. This includes not only the operating system but also middleware, libraries, and other software components.
- Use of Software Bill of Materials (SBOM): Create and maintain a software bill of materials (SBOM) for each vehicle model. A software bill of materials (SBOM) provides value by ensuring the safety and efficacy of a company’s software products. An SBOM provides a detailed list of all third-party, open-source, and commercial software components found within an application. These details provide a software maker with clarity about its product composition—and ensure that it isn’t transmitting risks to its users and customers.
- License Review Process: Establish a process for reviewing and approving open-source software components before integration. Ensure that the chosen components are compliant with the company’s open-source policy and the intended use.
- Open-Source Policies and Guidelines: Develop clear and comprehensive open-source policies and guidelines that outline which licenses are acceptable, how to handle license conflicts, and the procedures for incorporating open-source software.
- Automate Compliance Checks: Implement Software Composition Analysis tools that can automatically scan source code repositories and identify open-source components, along with their associated licenses. This helps catch compliance issues early in the development process.
- Manage License Obligations: Understand the obligations of different licenses, such as providing source code, displaying copyright notices, and maintaining license information. Ensure that these obligations are met in your products.
- Track Modifications: If modifications are made to open-source components, keep track of these changes and ensure that they are properly documented and shared with the community as required by the licenses.
- Document Compliance Efforts: Maintain records of all compliance efforts, including license reviews, approvals, and any actions taken to rectify non-compliance issues.
- Regular Audits: Conduct periodic audits of your software components and licenses to ensure ongoing compliance. This is especially important given the dynamic nature of software development.
- Educate Development Teams: Provide training to your software development teams about open-source licenses and compliance best practices. Ensure that they are aware of the potential implications of incorporating open-source components.
- Engage Legal Counsel: If in doubt about the compliance status of a specific open-source component, seek advice from legal counsel experienced in open-source licensing.
As open source use continues to increase in the auto industry, effective management of open source security and license compliance risk is becoming increasingly important. By integrating processes and automated solutions into the software supply chain, automakers, suppliers, and technology companies servicing the automotive industry can maximize the benefits of open source while effectively managing risk.