The primary activities involved in open source license compliance include identifying all open source software components, tracking and documenting their licenses, reviewing and approving usage, fulfilling license obligations such as attribution and source code distribution, conducting regular audits, and maintaining compliance records to ensure ongoing legal adherence.
Identification and Inventory
Organizations must identify every open source component used in their software, including dependencies and transitive packages, and compile a software bill of materials listing the origin and applicable license for each item.
License Review and Approval
Legal and engineering teams review the identified licenses, assess compatibility and restrictions (e.g., copyleft requirements), and approve or deny the inclusion of given components, documenting obligations that must be met upon release.
Obligations Fulfillment
Compliance means meeting the explicit requirements of each license: providing attribution, including license notices, distributing source code when necessary, and maintaining proper documentation and disclosures in product releases.
Continuous Monitoring and Auditing
Regular code reviews, audits, and automated scans are performed to track new or changed open source components, ensuring ongoing compliance and immediate mitigation of identified violations or risks.
Recordkeeping and Documentation
Organizations maintain detailed compliance records, including copies of licenses, proof of attribution, fulfillment measures, and audit trails to demonstrate compliance in case of legal inquiry or product release.
These core activities are often embedded in a formal compliance program and supported by automated tools—such as software composition analysis, license management platforms, and CI/CD integrations—to reduce manual errors and improve efficiency.