Safeguard
Compliance

What open source scans miss in M&A due diligence

Open source composition scans like Black Duck catch known packages and licenses — but M&A due diligence needs to catch what those scans miss too.

Marina Petrov
Compliance Analyst
8 min read

In an M&A technology audit, the open source scan is usually treated as a checkbox: run the tool, generate the report, attach it to the data room. But a composition report that lists known packages and their licenses is not the same thing as an assessment of software supply chain risk. Acquirers who rely on traditional software composition analysis (SCA) — the category Black Duck helped define — often walk away from diligence with a clean-looking license report and a blind spot around the questions that actually determine post-acquisition cost: is this codebase full of unmaintained or abandoned dependencies, are there packages that were never meant to be in production, and does the target even know what's in its own build? This piece breaks down what a standard open source scan is built to check, where that model runs into limits during a compressed diligence window, and where Safeguard's approach to supply chain visibility fills the gap — without guessing at claims we can't verify about a competitor's roadmap or pricing.

Why Due Diligence Needs More Than a Composition Report

Due diligence teams typically have days, not months, to answer three questions about a target's codebase: what's actually in it, what's the legal exposure, and what will it cost to remediate after close. Traditional open source scanning tools were designed to answer a narrower version of that first question — "which known components are present, and what license do they carry" — because that was the dominant risk in the 2010s, when GPL contamination and license incompatibility were the headline concerns for legal teams.

That framing still matters, but it's incomplete for 2026-era supply chain risk. Modern diligence has to account for dependency confusion attacks, typosquatted packages, abandoned maintainers, malicious code injected into legitimate-looking updates, and SBOM gaps that make it impossible to even answer "what's in here" with confidence. A scan that returns a clean license report can coexist with a codebase that has a compromised transitive dependency, an unpatched critical CVE with a public exploit, or dozens of packages that no acquirer would knowingly inherit. The gap isn't that composition scanning is wrong — it's that it answers a 2015 question with 2015-era tooling, in a market where the risk surface has moved.

What Does a Traditional SCA Scan Like Black Duck Actually Check?

Black Duck (originally Black Duck Software, later part of Synopsys's software integrity group, now operating independently again as Black Duck Software) built its category around software composition analysis: matching code against a large knowledge base of known open source components to identify what's present, which license governs each component, and which known CVEs are associated with each version. This is done primarily through dependency manifest analysis and binary/snippet matching against that knowledge base — a well-established and genuinely useful approach for license compliance and known-vulnerability inventory.

That's a real and verifiable capability, and it's the right tool for the job it was built for: telling legal and compliance teams which licenses are in the stack and whether any trigger copyleft obligations. What it's structurally not built to do is act as a full supply chain risk platform — because matching against a knowledge base of known components, by definition, is strongest on catalogued, previously-seen packages and weaker on the parts of a codebase that don't match anything in the catalogue.

Where Do Signature-Matching Tools Miss Supply Chain Risk?

This is the part of due diligence that gets glossed over most often. Composition and signature matching is excellent at telling you "this is lodash 4.17.11, here's its license, here's its known CVEs." It's much less equipped to answer questions like:

  • Is this dependency still maintained, or did the maintainer disappear two years ago, leaving the acquirer to inherit an unpatchable component?
  • Does the target's manifest reflect what's actually shipped in production, or is there drift between declared and installed dependencies — the exact gap that produces an inaccurate SBOM?
  • Are any packages typosquats or lookalikes of legitimate libraries, introduced accidentally by a developer during a late-night dependency install?
  • Has a dependency's publish history shown a suspicious ownership transfer or a version bump that doesn't match its source repository?

These aren't hypothetical edge cases — they're the exact mechanisms behind well-documented supply chain incidents across the npm, PyPI, and RubyGems ecosystems over the past several years. A diligence process anchored entirely on "what license and known-CVE data does the composition scanner return" doesn't have a native mechanism to surface any of the above. Safeguard's platform is built specifically to answer these questions: it maps dependency provenance, flags maintainer and package-health anomalies, and produces a verified SBOM that reflects the built artifact rather than just the declared manifest — the concrete, verifiable difference being that Safeguard's diligence output is a provenance-and-health assessment layered on top of composition data, not a composition report alone.

License Compliance vs Supply Chain Risk: Are They the Same Audit?

No, and treating them as interchangeable is one of the more expensive mistakes in a rushed M&A timeline. License compliance is a legal question: does this component's license create an obligation (attribution, source disclosure, copyleft propagation) that affects how the acquirer can use, sell, or relicense the acquired product. Supply chain risk is an operational and security question: can this codebase be trusted, is it currently under attack, and what will it cost to keep secure after close.

Black Duck's knowledge base and matching engine are oriented toward the first question, which is a legitimate and long-standing use case — legal teams need that data and will continue to need it regardless of which vendor produces it. Safeguard doesn't compete on rebuilding a license knowledge base; instead, Safeguard's differentiated, verifiable capability is combining dependency inventory with real-time package health, maintainer activity, and known-malicious-package intelligence, so a due diligence report can flag "this component carries acceptable license terms but has a maintainer who vanished after a suspicious ownership transfer" — a finding that a license-focused report has no reason to surface, because it isn't a license problem.

Can a Point-in-Time Scan Survive a 100-Day Integration Plan?

Due diligence produces a snapshot. Integration takes months. The open source ecosystem doesn't pause during that gap — new CVEs get disclosed, packages get abandoned, and dependency confusion attacks target specific naming patterns that only become visible after the deal closes and engineering teams start merging codebases. A one-time composition scan delivered as a PDF in the data room answers "what did this look like on the day we scanned it," which is a reasonable deliverable for a point-in-time legal review, but it doesn't extend into the integration period when the acquirer actually needs to start remediating.

This is where continuous monitoring — not just a diligence-day scan — becomes the concrete differentiator worth asking about in any vendor conversation. Safeguard's platform is designed to carry the diligence baseline forward into continuous monitoring after close, so the acquiring team isn't starting integration with a stale report; they're starting with a live view of the same dependency graph that was assessed during diligence, updated as new risk emerges. Whether a given composition-analysis vendor offers an equivalent continuous-monitoring handoff as part of an M&A engagement is a question worth asking directly in due diligence vendor selection — it's not something we'll assert on their behalf.

How Safeguard Helps

Safeguard is built for the questions that matter once the composition report is already in the data room. For M&A audits specifically, that means:

  • Verified SBOM generation from the actual build, not just the declared manifest, so acquirers see dependency drift before it becomes a post-close surprise.
  • Maintainer and package-health signals layered on top of standard vulnerability and license data, surfacing abandoned, recently-transferred, or anomalous packages that pure composition matching won't flag.
  • Malicious and typosquat package detection across the dependency tree, addressing a risk category that sits outside a traditional known-component knowledge base by design.
  • A diligence-to-integration handoff, so the same risk baseline established during the audit carries into continuous monitoring after the deal closes, instead of going stale the day the report is delivered.
  • Clear separation of legal and security findings, so compliance teams get license clarity and security/engineering teams get an actionable remediation list — without forcing one report to do both jobs.

For deal teams evaluating open source due diligence M&A software audit tools, the practical takeaway is straightforward: composition and license scanning remains necessary, but it was never designed to be the whole audit. Pairing it with a supply chain risk platform built for provenance, maintainer health, and post-close continuity closes the gap between what a scan reports and what an acquirer actually needs to know before the ink dries.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.