Revenera logo
Image: Understanding the SaaS Loophole in GPL

What is GPL?

The GNU General Public License, often known as copyleft or viral, grants permission to use or reuse or modify source code to make derivative works with a condition that if you distribute your program to others, it requires you to license the derivative work under the same license. There is a catch to this, i.e., by agreeing to the GPL license, (if you plan to redistribute) you must make the source code wholly available to users and allow further modifications and retribution of your product.  This makes it unpopular to authors who make money using proprietary software.

GPL with SaaS Exception:

GPL triggers during distribution, so it makes SaaS (Software as a Service) products immune to some extent. SaaS is a way of delivering the applications via the Internet without installing or distributing the source code to the user. So, making your product available via the Internet does not qualify it as a “Distribution,” which does not trigger the GPL condition. Also, SaaS applications which use JavaScript library will be at risk since, in some legal circles, it is considered a Distribution that triggers GPL condition. Net, it is advisable to stay away from GPL-ed JavaScript Library for your SaaS applications.

What is AGPL?

Section13 of the GNU Affero General Public License v3.0 (AGPL-3.0) closed the SaaS loophole which is one of the major differences between GPL and AGPL. In simpler terms, AGPL is like GPL with an exception that GPL is only triggered if you distribute your derivative work. AGPL broadens this trigger to activate if you let people use your derivative work even over a server connected to the network.

Concerns or Risks Companies face?

There are two major concerns or risks faced by SaaS companies or others nowadays by using open-source components, one is License Compliance and other is security Issues.

  • License Compliance: Due to unawareness of license compliance by companies may lead to potential legal cases. For example, SaaS products are less immune to GPL but if they use AGPL they must comply and release their product under open-source compliance. Using unknown licenses will carry the same risk, because by default if a component is not licensed, it is not given the right to use.
  • Security Issues: In this modern technological era, free and security doesn’t come as one package. When you are using open-source components in your products, you are exposed to certain risks which are vulnerabilities and bugs. One good thing about the open-source community is that it is vocal and active regarding vulnerabilities. Once identified, a patch is usually released soon. The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. Recent examples are Apache Log4j which caused a massive surge in the community but was later patched and resolved. Another is Severe Security Flaw Found in “jsonwebtoken” library Used by 22,000+ Projects

Software Bill of Materials (SBOM)

The best way for companies to deal with license compliance and security issues is to prepare a thorough SBOM. A Software Bill of Materials in an inventory list of all software components and dependencies which are present in a given product. This includes a list of all open-source components with its versions along with license and vulnerabilities, giving an opportunity for the companies to stay ahead in terms of license compliance and security risks.

What does an SBOM offer?

Revenera provides services for companies to prepare a truly pure and relevant SBOM for their products. Revenera SBOMs are categorized into priority levels based on license and CVE scores which will help companies to investigate and resolve any risks they carry in their product(s).

Disclaimer: This post is for information purposes only. Please consult an attorney or inside counsel for any legal advice.