Choosing Open-Source Libraries

Here are some factors that the developers should consider before choosing an open-source library:

Community support and popularity#

Open-source projects have communities of contributors and active users who write the code, detect and fix issues, writing documentations and offering support to other users. The larger and more active the community is, the better the code and the support you can get if you run into trouble.

A quick search on the project website or in relevant forums will show you how active the community is. The number of commits and downloads is also a good indication of a project’s popularity and community size.

NuGet#

For example, if you need to find a docx/word generator in NuGet , you can sort by the number of downloads. This documentation provides information on how to and evaluate NuGet packages for your project.

Go to the source repository.

GitHub#

In GitHub, you can sort the filter by the number of stars.

The statistics of commits can be viewed in the Insights tab.

Licensing#

Open-source components come with a license, which you have to comply with. There are hundreds of open-source licenses, although the majority uses about 30 licenses, with different terms and conditions. Some require you to add notices, some have patent clauses, and there are the  copyleft licenses obviously. Copyleft licenses, like the  GNU GPL family , require the user to release the full source code and all of the rights to modify and distribute the entire code of the product. We obviously can’t use this kind of license.

On the other hand, permissive licenses, allow you to use, modify, and distribute the licensed software, including creating derivative works, without requiring those derivative works to be licensed under the same terms. You can release the modified parts of the code under any license you prefer.

The MIT License is permissive license. It lets people do almost anything they want with your project, like making and distributing closed source versions.

Below are some useful articles to understand about open-source license.

1. Open-Source Licenses - Definition, Types, and Comparison
2. Popular Open-Source Licenses , if you’re looking for a reference table of every license in this site, see the  appendix .
3. tl;drLegal → Look up popular software licenses summarized at-a-glance.
4. Apache vs MIT License

Another problematic point is that you do not only need to check the specific library open-source licenses and ensure it meets your legal team policy, but you need to check the licenses of all dependencies on the open-source libraries you are adding.

NuGet#

Follow below instructions to get the license information of NuGet packages.

Check the license of its dependencies as well.

GitHub#

Licenses are displayed in the repository overview, allowing anyone to easily see if a project has an open-source license.

Documentation#

Popular and well-maintained open-source projects ensure they have proper documentation. Each one of us that has ever needed a good documentation and could find one, understands the value of good documentation.

This can be a great indicator for the quality and support you can expect from this community. If you happen to have a few options suitable to your needs, this metric should steer you in the right direction.

Working with open-source components, which you are not familiar with the source code, without documentation makes dealing with issues a big hassle. When everything is directly presented in front of you, it makes things a lot easier.

NuGet#

Read the documentation by visiting the Project website or Source repository.

GitHub#

You can either open the README.md file in the source repository or visit the Wiki tab.

Software Versions#

New versions of open-source libraries are released quite frequently. Often new versions offer new functionality, fix reported software bugs and security vulnerabilities or add compatibility with other open-source projects.

These versions are the result of the open-source community’s collaboration, and collaborative work is the key to improving open source. However, your preference should be to use the last stable version rather than the newest one, unless you need a specific new functionality.

Sometimes the last stable version is marked, and if not, a quick search in relevant forums will usually answer this question. In case there’s no ‘official’ last stable version, most developers’ rule of thumb is to use the one before the last.

Updating versions through the software development lifecycle is also important, but this is a more complicated process that needs a process on its own.

Read our article to learn more about software versioning and understand the difference between stable and pre-release versions.

NuGet#

By default, NuGet lists all versions of packages, including prerelease and beta versions. In the Options section, deselect the Include prerelease checkbox to list only stable, released package versions.

GitHub#

Follow this article to search for recent stable release.

Known Vulnerabilities#

Open-source vulnerability refers to a security vulnerability or weakness in open-source software or application that  can be exploited by malicious actors . Open-source software is developed in a collaborative and transparent way, where the  source code  is freely available for anyone to access and modify. While this model of software development has many advantages, it can also make open-source software vulnerable to security threats.

Open-source vulnerabilities can arise due to flaws or weaknesses in the code, which can be exploited by attackers to gain unauthorized access to systems, steal data, or cause damage to the software or system. Vulnerabilities can also result from outdated or unpatched software, which can create security gaps that can be exploited by attackers.

NuGet#

NuGet has features that you can use to ensure your projects are vulnerability free and if not, to take action to securing your software supply chain. Follow this article to scan NuGet packages for security vulnerabilities.

GitHub#

To scan your applications for vulnerable libraries, use free SCA tools like Mend , Snyk , SonarQube , or CodeSec by Contrast that are simple to install and provide an immediate list of libraries that need updating at no cost.

Are Your Organization Already Using It?#

It is highly advised to check Common Services and Integrations before searching for other libraries.

References#

• 7 Factors Developers Should Consider Before Choosing an Open-Source Project
• Top 10 Questions About the Apache License
• Open-Source Software Risks: How to Identify and Remediate Vulnerabilities
• How to check if your libraries are vulnerable? - DEV Community