Nearly every modern application uses open source components. License compliance failures can create significant legal and business risks in M&A transactions.
License Categories
Permissive Licenses
MIT, Apache 2.0, BSD
- Minimal restrictions
- Commercial use allowed
- Low risk for proprietary software
Copyleft Licenses
GPL, LGPL, AGPL
- Require derivative works to use same license
- GPL can "infect" proprietary code if improperly used
- AGPL extends to network use (SaaS risk)
Weak Copyleft
LGPL, MPL
- Copyleft applies only to modifications of original
- Can be linked with proprietary code
- Moderate risk profile
Assessment Approach
- Software Composition Analysis: Scan code for OSS components
- License inventory: Map all licenses in use
- Compliance review: Verify attribution and notice requirements
- Risk assessment: Identify high-risk license combinations
Red Flags
- GPL code in proprietary products without proper isolation
- AGPL in SaaS offerings
- Missing license attribution
- No open source policy or tracking
- Outdated components with known vulnerabilities
Key Takeaway: Open source compliance issues can require expensive remediation or create IP encumbrances. Scan the codebase before closing.