When you incorporate open source (OS) code into larger programs, it is risky to assume that the official license for the project is the only license you need to comply with. This is true even if the only OS code your company consumes comes from software projects with permissive rather than copyleft licenses. (For an explanation of the difference between copyleft and permissive OS licenses, and why copyleft-licensed code cannot be used in proprietary applications, please see this earlier post about OS license types ). Any OS component could be subject to a myriad of OS licenses that you might be unable to identify without performing a source code audit and scan. This is why regular use of source code scanning tools (a.k.a. software composition analysis software) is essential to any open source compliance program.