In this episode of Sushi Bytes, Shinobi and Gen dive into the hidden risk of license drift – when the open source license declared in metadata files like package.json or README doesn’t match the actual licenses embedded in the source code. It’s a common problem with serious consequences, especially in embedded systems or M&A deals. The duo explores why relying on metadata alone can mislead engineering teams and expose organizations to IP risk, and how SCA tools like FossID catch mismatches through file-level inspection – so you don’t ship surprises with your software.
[0:08] Shinobi: Welcome to Sushi Bytes, the AI generated podcast from FossID, where we slice through the noise and serve up sharp insights on software supply chain integrity. I’m Shinobi, your software composition analysis ninja.
Today’s topic: License drift – when open source metadata lies or just gets lazy. Joining me is my co-host, code-surfing and sarcasm-enabled Gen.
[0:32] Gen: Thanks shinobi. I’m thrilled to be here, scanning the truth out of every package.json, one misleading license declaration at a time.
[0:40] Shinobi: You seem excited.
[0:41] Gen: Let’s just say I have strong feelings about metadata that doesn’t match reality.
[0:46] Shinobi: Let’s break it down.
License drift happens when the declared license in a file like package.json or setup.py or even a README doesn’t match the license in the actual source files.
Sometimes it’s a simple oversight, sometimes it’s an outdated copy paste, and sometimes it might be a deliberate choice to make software look more permissive than it actually is.
[1:08] Gen: Or as I like to call it, IP risk with a friendly face. Because a mismatched license might not throw a runtime error, but it might break your compliance pipeline or worse, your merger or acquisition deal.
[1:20] Shinobi: Most development teams rely on metadata to make fast decisions, like it says MIT, so it must be fine.
But if the source code actually contains GPL, AGPL or dual-license components, you may be inheriting unexpected obligations – like source code disclosure, patent clauses, or incompatible license stacking.
[1:38] Gen: And let’s be real, license drift doesn’t announce itself, it hides right until someone with an audit checklist finds it.
[1:46] Shinobi: License drift is especially common in:
- Forked or modified libraries
- Projects with multiple maintainers or legacy contributor
- AI generated code, where reused open source isn’t always attributed
- Components with poor or inconsistent documentation
[2:01] Gen: Oh and don’t forget about transitive dependencies – that one sneaky package that pulls in a whole chain of mismatched licenses like it’s building a compliance time bomb.
[2:10] Shinobi: This is where sophisticated SCA tools with multi-layered detection methods and deep license Intel like FossID come in.
We can’t just trust the metadata – we analyze the actual source files, line by line.
[2:23] Gen: And that’s where the magic happens.
Because FossID, for instance, detects licenses based on the actual license headers, SPDX tags, copyright notices, and yes – even partial code snippets.
Wait, Shinobi?
Wasn’t this technology named after you?
[2:42] Shinobi: hmm. Yeah, someone decided “License Extractor” was a more fitting name than “Shinobi“.
Whatever. That was a little hurtful, I’m not going to lie.
But anyway, that multi-layered inspection of notice files and source code means if a component claims to be MIT but contains GPL covered files, you’ll know before legal does.
[3:00] Gen: or before a lawyer at your acquirer does.
[3:03] Shinobi: If you’re building embedded systems, distributing software, or preparing for M&A, license drift isn’t just a paperwork problem – it’s a business risk.
[3:12] Gen: Especially when an outdated or mismatched license can derail your audit or introduce obligations you never knowingly agreed to.
[3:19] Shinobi: So what’s the lesson here?
Metadata is helpful, but it’s not always honest when it comes to open source license compliance, trust, but verify – at the file level.
[3:29] Gen: Because when metadata misleads, you could be shipping software with invisible strings attached.
[3:34] Shinobi: That’s right, Gen, and that’s a good point to finish with.
Thanks for listening to another episode of Sushi Bites everyone.
Subscribe for more episodes on software supply chain integrity by going to SCA.ninja/podcast.
[3:47] Gen: Great talk Shinobi! Even though the marketing department dropped your name from the license extractor technology, you’re still everyone’s favorite SCA ninja.
[3:55] Shinobi: Thanks, Jen, you’re the best.
Related Resources
Subscribe to Sushi Bytes
Get new episodes delivered straight to your inbox and never miss a beat!
Talk to a Software Supply Chain Ninja
Book a discovery call with one of our experts to discuss your business needs and how our tools and services can help.