License contamination is what happens when a copyleft-licensed component — most often GPL code — is combined with proprietary software in a way that extends the copyleft license's obligations to your own code. The practical consequence: distributing the combined work can require you to release your proprietary source under the same license, stop shipping, or negotiate your way out. Sometimes called the "viral effect," contamination is not malware and not a bug — it is the license working exactly as designed, on code you may not have realized you included.
How Does License Contamination Actually Happen?
Copyleft licenses like the GNU GPL condition your right to distribute on a reciprocity requirement: derivative works must carry the same license, source included. Contamination is simply that condition attaching to more code than you intended. The common entry paths:
- Direct dependencies. A developer adds a GPL-licensed library to a proprietary product. Everything statically linked into the distributed binary is, under the mainstream reading of the GPL, part of the derivative work.
- Transitive dependencies. Your MIT-licensed dependency itself depends on a GPL component three levels down. Package managers resolve it silently; your manifest never mentions it.
- Copy-paste and vendored code. A function lifted from a GPL project into your codebase carries its license with it, README or not. AI coding assistants that reproduce licensed code verbatim have added a new variant of this old problem.
- Base images and firmware. Container images and embedded Linux stacks bundle GPL userland tools; the obligations follow the distribution of the image or device.
Which license you touch determines the blast radius. Strong copyleft (GPLv2, GPLv3) reaches the whole derivative work when distributed. AGPL goes further: network use counts as distribution, which is why many SaaS companies ban AGPL dependencies outright even though they never "ship" software. Weak copyleft (LGPL, MPL, EPL) confines obligations to the licensed component or file itself — dynamic linking against an LGPL library generally leaves your application code unaffected, provided you meet the license's conditions. Permissive licenses (MIT, BSD, Apache-2.0) impose attribution but do not contaminate.
What Are the Real Consequences — Has Anyone Been Sued?
Enforcement is rarer than vulnerability exploitation, but it is real, public, and expensive:
- The BusyBox lawsuits (2007–2009). The Software Freedom Law Center brought the first US GPL enforcement suits on behalf of BusyBox developers against consumer-electronics vendors shipping the utility in firmware without source. The defendants — starting with Monsoon Multimedia in 2007 — settled, paying and agreeing to compliance terms, and the campaign established that GPL conditions are enforceable in US courts.
- Versata v. Ameriprise (2014). A proprietary software vendor's product included a GPL-licensed component; the resulting litigation turned a customer dispute into a public examination of the vendor's copyleft exposure — cited ever since as the canonical "contamination discovered in commercial software" case.
- Software Freedom Conservancy v. Vizio (filed 2021). The SFC sued the TV manufacturer over GPL and LGPL components in SmartCast firmware, notable for asserting that consumers are entitled to the source as third-party beneficiaries — a theory a California court allowed to proceed.
Even without a lawsuit, contamination surfaces at the worst moments: technical due diligence during an acquisition or funding round routinely includes a license audit, and an unexplained GPL dependency in a proprietary codebase becomes a valuation problem, an indemnification clause, or a frantic pre-close rewrite.
How Do You Prevent License Contamination?
Treat licenses like vulnerabilities: inventory continuously, gate on policy, and remediate with engineering options rather than panic.
- Know what you ship. Generate an SBOM per build and resolve the full transitive tree — contamination risk lives disproportionately in dependencies you never chose. An SCA tool with license detection identifies each component's license, including dual-licensed and undeclared cases where headers must be read from the source itself.
- Write a license policy engineers can act on. Allow permissive licenses by default; require review for weak copyleft; block strong copyleft and AGPL in distributed or SaaS products unless legal approves an exception. Publish it — most contamination starts with a developer who had no idea a license category existed.
- Gate in CI. A lockfile change that introduces a GPL dependency should fail the pull request with an explanation, not surface six months later in an audit. Policy-as-code beats quarterly spreadsheet reviews on both speed and coverage.
- Design around copyleft where you must use it. Dynamic linking against LGPL components, process isolation (invoking a GPL tool as a separate executable over a pipe or API), or buying a commercial license from a dual-licensing vendor are all established patterns — decided with counsel, before integration.
- Audit the legacy estate. Older codebases predate all of this tooling. A one-time deep scan, including snippet-level matching for copy-pasted code, establishes the baseline the CI gate then protects. Ongoing licensing guides are collected on the Safeguard blog.
FAQ
Does using GPL software internally contaminate my code?
Generally no. GPLv2 and GPLv3 obligations trigger on distribution, and purely internal use is not distribution. The major exception is AGPL, whose obligations extend to software users interact with over a network — which is precisely why SaaS companies treat AGPL as a special case.
Can an MIT-licensed package cause license contamination?
Not by itself — MIT is permissive. But an MIT-licensed package can carry contamination if its own dependency tree includes copyleft components, or if its source contains copied GPL code. This is why scanning must cover the resolved transitive graph, not just declared top-level licenses.
Is license contamination reversible?
Usually, with engineering work: remove or replace the copyleft component, re-implement the functionality cleanly, isolate it behind a process boundary, or purchase a commercial license where the vendor dual-licenses. What does not work is quietly deleting the dependency and hoping — past distributions already carry the obligations, so remediation plans belong in writing, with counsel.
Does license contamination apply to containers and Docker images?
Yes. Distributing an image that bundles GPL-licensed binaries is distribution of those binaries, with the usual source obligations. Most base images handle this cleanly for the OS layer, but images that bake in additional copyleft tools — or ship to customers as a product — deserve the same license scanning as application code.