How SCANOSS helps organisations identify, track, and manage open source licence obligations within their codebases.
Open source software powers the modern digital economy, appearing in 96% of commercial applications. Yet licence compliance remains one of the most misunderstood and mismanaged aspects of software development. Organisations routinely ship code containing undeclared open source components with conflicting licence obligations, creating legal exposure they don’t know exists.The consequences are severe. 80% of organisations face release delays due to licence issues discovered too late in the development cycle. Legal teams scramble to assess risk during final reviews, halting deployments while engineering investigates which components introduced the violations. By that point, remediation is expensive and disruptive, requiring teams to refactor code, replace libraries, or negotiate licence exceptions under time pressure.Yet most organisations still ask the wrong question. “Are our declared dependencies compliant?” The real question is, “What open source are we actually using, and what are our obligations?”
Modern software development creates licence compliance complexity that traditional tools cannot address. Applications routinely incorporate hundreds or thousands of open source components, each carrying specific legal obligations that must be understood and fulfilled.These obligations are frequently:
Hidden in undeclared components: Package managers only track declared dependencies. Copied code snippets, AI generated fragments, and transitive dependencies introduce licences teams don’t know about.
Conflicting across the dependency tree: A permissive MIT component might depend on a GPL library, creating copyleft obligations that ripple through your entire application.
Version dependent: The same package may carry different licences across versions. Upgrading from 2.1.0 to 2.2.0 might introduce GPL obligations that didn’t exist before.
Misunderstood by developers: Many engineers cannot distinguish permissive from copyleft licences, or don’t understand when GPL requires releasing proprietary source code.
Inadequately documented: Even when components are detected, mapping them to accurate licence information and understanding combined obligations requires specialised knowledge.
Consider a common scenario. A development team builds a proprietary SaaS application using React (MIT licence), which depends on a utility library (also MIT), which in turn depends on a GPL licenced package buried three levels deep in the dependency tree. No one notices until a customer’s legal team reviews the Software Bill of Materials and discovers the GPL component. Now the organisation must prove the GPL code isn’t creating derivative work obligations, or face contract breach.The fundamental challenge is visibility. You cannot comply with obligations you don’t know you have. Package level scanning misses snippet level copying. Manifest analysis ignores undeclared dependencies. Manual review doesn’t scale. The gap between what teams think they’re using and what they’re actually shipping creates persistent compliance risk.
Multiple converging factors have made licence compliance urgent and unavoidable:Legal and Financial Risk: Licence violations create direct legal liability. Organisations face copyright infringement claims, breach of licence terms, and potential damages. GPL violations in proprietary software can trigger requirements to open source the entire application, converting millions of pounds in proprietary IP into public code.M&A Due Diligence: Acquisitions routinely uncover undisclosed open source licence violations during technical due diligence. These discoveries reduce valuations, create indemnification requirements, or kill deals entirely. Buyers increasingly require comprehensive licence audits before closing, with violations creating material adverse effects.Customer Contract Requirements: Enterprise customers and government agencies increasingly require Software Bills of Materials that accurately document all components and their licences. Contracts specify acceptable licence types, prohibit copyleft in certain contexts, and require regular compliance certification. Violations create contractual breach and financial penalties.Regulatory Pressure: Emerging regulations like the EU Cyber Resilience Act require manufacturers to document software components and their licences. Compliance becomes a market access requirement, not a best practice. Organisations that cannot produce accurate SBOMs face regulatory barriers.Supply Chain Transparency: The software supply chain has become a focus for security and compliance. Customers, auditors, and partners demand transparency into component sources and licence obligations. Opacity creates trust problems that damage business relationships.Open Source Community Trust: Violating open source licences damages relationships with the communities that create the software organisations depend on. Egregious violations become public, creating reputational damage that extends beyond legal consequences.AI Generated Code Complications: AI coding assistants introduce a new dimension. Code that appears original but actually replicates open source implementations with associated licence obligations. Traditional compliance approaches completely miss this source of risk.
Managing licence compliance requires comprehensive visibility across the entire software composition, not just declared packages, but every code fragment, regardless of how it entered the codebase. Modern DevSecOps teams need intelligent licence detection systems capable of identifying open source at the snippet level and mapping each component to accurate licence obligations.SCANOSS provides this intelligence through multiple complementary approaches:Snippet Level Detection: Identify open source code fragments like copied functions, utility classes, and algorithm implementations that don’t appear in dependency manifests but carry licence obligations nonetheless.Comprehensive Licence Knowledge Base: Query against SCANOSS’s licence dataset covering millions of open source components, mapped to SPDX standards with per version licence metadata.Licence Classification: Automatically classify detected components as Permissive, Copyleft, Weak Copyleft, or Proprietary, enabling policy based decisions without requiring legal expertise for every component.Conflict Detection: Identify incompatible licence combinations before they reach production, such as GPL mixed with proprietary code, conflicting copyleft obligations, and missing attribution requirements.Transitive Dependency Analysis: Track licence obligations through the entire dependency tree, identifying indirect risks that package level tools miss completely.
Licence compliance is not optional. It’s a fundamental requirement for responsible software development and a prerequisite for market access. Organisations that treat compliance as a legal afterthought face unnecessary risk, including violations discovered late, expensive remediation, delayed releases, damaged customer relationships, and potential litigation.SCANOSS provides the detection capabilities, licence intelligence, and integration workflows needed to transform licence compliance from a reactive liability into a proactive control. By identifying open source at the snippet level where copying actually occurs, mapping components to accurate SPDX licence data, and integrating compliance checks throughout development workflows, SCANOSS enables organisations to ship confidently whilst managing legal obligations responsibly.The goal is straightforward. Help organisations see, understand, and fulfil their open source licence obligations, turning compliance blind spots into visibility, legal risk into managed process, and licence challenges into competitive advantages built on trust and transparency.
