Safeguard
FAQ

Open Source License Compliance: Frequently Asked Questions

A clear FAQ on open-source license compliance in 2026 — permissive vs copyleft, SPDX identifiers, AGPL and SaaS, attribution obligations, license changes, and automated scanning.

Safeguard Team
Product & Security
6 min read

Open-source license compliance is the practice of tracking the licenses of every component you depend on and meeting their obligations — attribution, source disclosure, and use restrictions — across your entire dependency tree. It matters because a single strong-copyleft library buried deep in a transitive dependency can create legal obligations for an otherwise proprietary product. With dependency trees running hundreds of packages deep, compliance in 2026 is an automation problem, not a manual review problem.

Frequently Asked Questions

What is open-source license compliance? It is the process of identifying the license attached to each open-source component you use and satisfying that license's terms — which can range from a simple attribution notice to obligations to disclose source code. Compliance protects you from legal and reputational risk and preserves your ability to ship, sell, or open-source your own software. The hard part is coverage: obligations attach to transitive dependencies just as much as direct ones.

What is the difference between permissive and copyleft licenses? Permissive licenses such as MIT, Apache-2.0, and BSD impose minimal conditions — typically just attribution and preservation of the license notice. Copyleft licenses such as the GPL family require that derivative works be distributed under the same terms, which can obligate you to release source code. The practical distinction is that permissive licenses rarely constrain how you distribute your product, while copyleft licenses can.

What is the difference between weak and strong copyleft? Strong copyleft, like GPL-3.0, extends its source-disclosure obligation to the whole combined work in many distribution scenarios. Weak copyleft, like LGPL or MPL-2.0, generally scopes the obligation to the licensed component itself, so you can link to it from proprietary code with fewer strings attached. Knowing which flavor applies is essential, because the compliance burden differs sharply between them.

What are SPDX license identifiers? SPDX maintains a standardized list of short, unambiguous identifiers — MIT, Apache-2.0, GPL-3.0-or-later, and so on — so tools and documents can reference licenses precisely. Using these identifiers in manifests and SBOMs removes the ambiguity of free-text license fields and lets automation reason about obligations reliably. They are the lingua franca that connects license data across SBOMs, scanners, and policies.

Why is the AGPL a special concern for SaaS companies? The AGPL closes the so-called "SaaS loophole" by extending source-disclosure obligations to software that users interact with over a network, not just software that is distributed as a binary. That means running AGPL-licensed code inside a hosted service can trigger obligations even though nothing is shipped to the user. Many companies therefore flag or prohibit AGPL components in policy, which requires detecting them reliably across the dependency tree.

What obligations do I typically have to meet? The most common are attribution — preserving copyright and license notices, often in a bundled notice file — and, for copyleft, making corresponding source available under the same terms. Some licenses add patent-grant, trademark, or state-changes requirements. Meeting them starts with an accurate inventory, because you cannot comply with obligations you did not know you had.

What happens if a dependency has no license at all? No license does not mean free to use — under default copyright, an unlicensed work is effectively "all rights reserved," so you have no explicit permission to use, modify, or redistribute it. Depending on such a component is a real risk that license scanners flag specifically. The safe path is to seek an explicit license from the author or choose a properly licensed alternative.

How do license changes and relicensing affect me? Several prominent projects have relicensed from open-source to more restrictive "source-available" terms in recent years, moving to licenses like BUSL or SSPL that impose commercial-use restrictions. If you upgrade across such a change, your obligations can shift even though the package name did not. Watching for license changes on version bumps is now a necessary part of dependency review, not an edge case.

What is the difference between "open source" and "source-available"? "Open source" specifically means a license that meets the Open Source Initiative's definition, guaranteeing freedoms to use, modify, and redistribute. "Source-available" means you can read the code but the license imposes restrictions — for example on commercial or competing use — that disqualify it from being open source. Conflating the two leads to compliance mistakes, so policies should treat them as distinct categories.

How does license compliance connect to SBOMs and SCA? License data is a core field in every SBOM, and software composition analysis is what populates and continuously evaluates it across your full dependency graph. Generating an SBOM with SBOM Studio captures each component's SPDX license, and policy then flags conflicts automatically. In other words, license compliance and vulnerability management share the same inventory backbone.

Can license compliance be automated across a deep dependency tree? Yes, and it has to be — manually auditing licenses across hundreds of transitive packages is impractical and error-prone. Automated scanning resolves the graph, resolves each component's SPDX identifier, and evaluates it against a policy that defines which licenses are allowed, flagged, or blocked. This turns compliance from a periodic legal review into a continuous check that runs on every build.

How should a license policy be structured? A practical policy sorts licenses into tiers — allowed (typically permissive), review-required (weak copyleft and unusual terms), and blocked (often strong copyleft like AGPL for proprietary products) — and enforces those tiers automatically in CI. The policy should also handle the no-license and source-available cases explicitly. Encoding the rules once lets engineers get instant answers instead of routing every dependency through legal.

How does Safeguard help with license compliance specifically? Safeguard identifies the license of every direct and transitive component during software composition analysis and evaluates it against your policy alongside vulnerability data, so you get one view of legal and security risk. Because license detection rides on the same continuously updated inventory as CVE matching, a policy-violating license is caught on the build that introduces it. Our comparison with Black Duck walks through how this unified approach differs from standalone license tooling.

Register at app.safeguard.sh/register, or read the documentation at docs.safeguard.sh.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.