The Due Diligence That Went Sideways
Mark Chen, CTO of ApexLedger, was feeling good. His fintech startup had built a novel reconciliation engine for digital asset exchanges. After three years of bootstrapping, a top-tier VC firm was circling with a term sheet for a $10 million Series A. The final step was technical due diligence. "They sent over their standard checklist," Mark recalled. "Infrastructure, security posture, architecture diagrams. The last item was 'Open Source License Compliance.' I figured we were clean. We used popular libraries. How bad could it be?"
He assigned his lead engineer, Sam, to run a scan. They used a basic free tool that parsed their package.json and pom.xml files. The initial report listed 1,247 dependencies. "The number was staggering, but not unusual for a modern Node.js and Java stack," Sam said. "The tool flagged about fifty licenses: MIT, Apache 2.0, BSD. It looked fine." They forwarded the report to the VC's external audit firm, Blackthorn Partners.
Forty-eight hours later, Mark's phone rang. It was Sarah Vance, the lead auditor at Blackthorn. Her tone was flat, professional, and utterly terrifying.
"Mark, we've completed our preliminary analysis of your codebase. We've identified 417 direct and transitive dependencies with problematic licensing. This includes 23 instances of GNU GPL v3 code, 14 instances of AGPL code, and several libraries with custom commercial-use prohibitions. Your core transaction engine appears to be statically linked to GPL-licensed cryptographic libraries. This creates a copyleft contamination risk for your entire proprietary codebase. We cannot proceed with the investment until this is remediated."
Mark felt the floor drop away. "What does that mean, 'remediated'?"
"It means," Sarah said, "you must either remove or replace every violating dependency, or you must open-source your entire proprietary engine under the GPL. The VC's legal team views the latter as a non-starter. You have a week to provide a mitigation plan."
Digging Into the Dependency Hell
The team gathered in a state of shock. ApexLedger's "secret sauce" was a complex event-processing pipeline. To build it quickly, they'd pulled in libraries from GitHub, npm, and Maven Central, often copying snippets from Stack Overflow and tutorials without a second thought. "We were moving fast," Sam admitted. "If a library solved a problem—a faster JSON parser, a niche hashing function—we just npm installed it. We never read a license file in our lives."
They needed a deeper scan. The free tool had only looked at declared top-level licenses. The contamination was in the transitive dependencies—the libraries that their libraries used. A benign MIT-licensed package could pull in a GPL-licensed deep dependency. They turned to a professional-grade code scanning platform, feeding it their entire monolithic repository.
The new report was a 300-page PDF of legal peril. It didn't just list dependencies; it mapped the provenance and propagation of every license through their dependency tree. It also found something worse: code snippets copied directly from GPL-licensed projects on GitHub, embedded in their proprietary classes.
// In ApexLedger's proprietary CryptoUtils.java
public static byte[] generateSecureHash(byte[] input) {
// Snippet copied from GPLv3 project 'LibCryptoHelpers' on GitHub
MessageDigest md = MessageDigest.getInstance("SHA3-256");
// ... 15 lines of identical code ...
return md.digest();
}"That was the moment I knew we were screwed," Mark said. "It wasn't just a dependency. We had literally copied GPL code into our core. That's a willful violation. The copyright holder could sue for damages and seek an injunction on our product."
The Three Categories of Violation
The audit firm categorized the violations into three buckets, each with a different level of fire.
- Category 1: Direct GPL/AGPL Linking. Their Java engine used a high-performance networking library, `jnet-express`, which was dual-licensed as GPL or commercial. They used the GPL version. This meant their entire JVM process, containing their proprietary code, was likely considered a "derivative work" under the GPL, forcing them to open-source everything.
- Category 2: Transitive "Copyleft" Contamination. A popular MIT-licensed data visualization widget they used in their admin dashboard pulled in a smaller charting library that was licensed under LGPL. While less severe than GPL, it still imposed obligations they were not meeting, like providing source code for that library.
- Category 3: Direct Code Snippet Copying. The most egregious. Developers had copied functions from GPL projects, Stack Overflow answers with unclear licenses, and even snippets from a university's copyrighted course materials.
The One-Week Triage
The engineering team worked 20-hour days. Their strategy was triage:
- Eliminate: For Category 1 violations, they searched for alternative libraries with permissive licenses (MIT, Apache 2.0). Replacing `jnet-express` required rewriting a critical networking layer, a task estimated at two months. They did it in six days, introducing three major bugs in the process.
- Isolate and Comply: For the LGPL widget (Category 2), they had to ensure it was dynamically linked. This involved repackaging their application and providing clear attribution and source code links in their documentation—a process they never knew was required.
- Excise and Rewrite: For copied snippets (Category 3), they had to delete the offending code and re-implement the functionality from scratch. This was humiliating and time-consuming. "We found a sorting algorithm copied from a GPL project," Sam said. "We replaced it with a call to the standard library. It had been there for two years."
They used Codequiry's code similarity scanning not to find student cheaters, but to find plagiarized code within their own codebase. "We ran our code against a corpus of known open-source projects," Mark explained. "It highlighted every lifted snippet in bright red. It was a gut punch, but it showed us exactly what to fix."
The Fallout and the Fix
After a week, they presented a 50-page mitigation report to Blackthorn Partners. They had fixed 80% of the critical violations. The remaining 20% were in deprecated parts of the codebase, which they committed to removing before the next release. The VC's legal team was skeptical but impressed by the effort. The deal closed, but with a 15% reduction in valuation and a new set of covenants.
"The investment was conditional on implementing a continuous open-source license scanning pipeline," Sarah Vance noted. "We mandated it be part of their CI/CD. Any pull request that introduces a new dependency with a non-permissive license must be flagged and approved by both legal and tech leadership. It's a tax on their velocity, but it's non-negotiable."
The ApexLedger team now runs a scanning tool on every commit. Their .gitlab-ci.yml file has a mandatory compliance stage:
stages:
- test
- license_scan
- deploy
license_compliance:
stage: license_scan
image: scanner-image:latest
script:
- /scanner --dir . --report-format json --fail-on GPL3,AGPL
allow_failure: falseWhat Every Engineering Leader Must Know
Mark Chen now speaks about this experience at tech conferences. His lessons are hard-won:
- License Ignorance Is Not a Defense. In the eyes of the law and investors, "we didn't know" is irrelevant. The obligation is on the user to comply.
- Transitive Dependencies Are the Silent Killers. You must scan your full dependency tree, not just your direct imports. Tools like FOSSA, Snyk, and Black Duck specialize in this.
- Code Snippet Copying Is Plagiarism, Legally. Copying 10 lines from a GPL file into your proprietary code can infect the entire file, or more. Treat internal code originality with the same seriousness as academic integrity.
- Compliance Is a Feature, Not a Chore. Bake it into your development lifecycle. A clean bill of legal health is an asset that increases your company's valuation and salability.
"We got lucky," Mark concludes. "We were forced to fix it during due diligence. If we had discovered this after the investment, or worse, after a copyright holder sent us a cease-and-desist, we would have been litigated out of existence. That $10 million investment wouldn't have gone to growth. It would have gone to lawyers."
He looks at his team's now-mandatory license dashboard. It's green. "That green light," he says, "is the most important feature we ship."