In a merger and acquisition (M&A) tech transaction where the code is much of the value, acquirers want to ensure that the components used are properly licensed. If they are not, the purchaser might be exposed to legal issues that they will need to address. In 2021, 78% of the code that Black Duck audited was comprised of third-party components. And although much of the focus is on open source software, codebases often contain third-party commercial software as well, some of which the seller may not even be aware of. This aspect of software due diligence is just as important as finding open source artifacts, and a Black Duck® audit can help to address it.
There are a lot of automated tools available for performing software composition analysis on a codebase. When Black Duck performs an audit for M&A transactions, we use a range of tools that do a forensic dive into the codebase, and then human auditors confirm or exclude and supplement those findings. We are the industry standard for creating an open source software Bill of Materials (SBOM), and we also identify components in a codebase from third-party commercial vendors.
We find code from commercial vendors by manually inspecting the results of a forensic scan of the codebase. Some commercial and proprietary components can be identified via our extensive KnowledgeBase™, but the majority of these identifications are made when auditors perform deeper analysis of the code.
The sophisticated string searches we employ include about 200 targeted search patterns of various types that aid in this analysis. We also look at metadata in various binary file formats. These techniques uncover open source components that automation may overlook, and they also uncover company copyrights and end user license agreements (EULAs) in files.
Once these indications of commercial software are found, the auditor researches what company may have supplied this code. The resulting report sorts the information into categories for easy consumption. The report includes a “needs research” category that includes components with customized and nonstandard licenses. This shines a light on licenses that need review and helps legal teams understand what kind of remediation work will be required.
Dual-licensed items are a category of components that falls between open source and commercial code. These components are offered under a reciprocal or a commercial license, and that can have interesting implications. We will dedicate a future blog to this classification of component, but in short, the acquisition target either needs to have a commercial license or must comply with a noncommercial open source license.
Although a target discloses, to the best of its knowledge, the commercial software it employs in its codebases, we usually find components that come as a surprise to the target. Frequently these components are redistributable components—components that can be used if you comply with redistribution terms—so acquirers should confirm that those terms are being complied with. Other commercial components may require additional research to make sure a commercial license has been purchased.
We also find commercial components that have an open source license option or have contributed to open source projects with a compatible license. There are also open source libraries that are for personal and noncommercial purposes, but that require permission or a commercial license to be used in the target’s software. Third-party fonts are common as well, and like proprietary software, they require compliance with a EULA.
We often hear from third-party legal partners that complying with the terms of the commercial software used in a product is just as important as understanding the license requirements of open source components in a codebase. As that perspective grows, we expect more clients will be equally interested in the third-party commercial components documented during audits. Using an audit service that has the tools and expertise to discover commercial software is essential to creating a complete SBOM.
The 2022 “Open Source Security and Risk Analysis” (OSSRA) report published by Black Duck documents the amount of open source we find in engagements performed over a year. We track the commercial components we discover as well. Gary Armstrong, a researcher at the Black Duck Cybersecurity Research Center (CyRC), which curates and validates this data, provided these metrics regarding commercial software found between 2019-2021.
Checking for license compliance in M&A due diligence is important for determining all the elements that comprise the product. A Black Duck audit can provide a deeper understanding of all those pieces, including potential commercial components.