Determining the license(s) that covers an open source project requires more than a quick analysis of the LICENSE.txt file.
Yes, LICENSE.txt (and similar file types) contain important information about the open source maintainer’s stated license for a particular project — in other words, the declared license for that component.
But there’s another type of license that compliance professionals should keep in mind as well: discovered licenses. Discovered licenses aren’t explicitly declared by the maintainer, but license scanning tools like FOSSA can uncover them.
Ultimately, open source users are responsible for complying with both declared and discovered licenses. But there are some nuances to be mindful of as you consider compliance strategies.
What Are Declared Open Source Licenses?
Declared licenses are the licenses that open source maintainers explicitly publish to govern how their code may be used. A declared license reflects the original intention of the maintainer.
You’ll typically find declared licenses in familiar places:
- The project’s registry metadata (e.g., GitHub, NPM, Maven)
- License or COPYING files within the repository
- Manifest files such as
pom.xmlfor Java projects
There’s no universal rule for where a license must be declared, so compliance professionals should check multiple sources to confirm which license a maintainer intends to apply.
What Are Discovered Open Source Licenses?
Discovered licenses are those identified by scanning tools or manual analysis within the codebase — but not formally declared by the maintainer. These appear when license text or signatures are found in the source files of a dependency, and can differ from the declared license.
For example, a project might declare an MIT license but contain a file copied from a GPL v3-licensed library. That GPL license — if valid and not just a false positive in a README or test file — will then apply to the project (and create additional obligations for the end-user).
It’s important to note that although we at FOSSA use the term “discovered licenses” to refer to this type of license, others might say “embedded” or “nested” licenses. (And, technically speaking, there can be differences between types of discovered licenses.) The bottom line, though, is that just like declared licenses impact the end-user’s set of compliance obligations, so too do discovered licenses.
Managing Declared and Discovered Licenses in Compliance Programs
Like I mentioned, the key takeaway here is that both license types matter. This misunderstanding is one of the most common compliance mistakes we tend to see.
The practical implication of the legal relevance of discovered licenses is that your compliance program should account for them as well. Consider best practices, such as:
- Always scanning deeply for discovered licenses. Don’t rely only on registry metadata.
- Implementing clear policy rules that evaluate license restrictiveness in context. For instance, LGPL obligations differ depending on whether a library is statically or dynamically linked.
- Using tooling that scans every file, not just top-level manifests, to ensure no hidden license text slips through.
What if the Declared and Discovered Licenses Have Different Obligations?
In software licensing, you will sometimes encounter what’s known as a dual license. Dual licensing refers to the scenario where the end-user has a choice between two (or more licenses). For example, a developer might offer a piece of software under the end-user’s choice between AGPL or a commercial license.
However, unless explicitly stated otherwise, this choice-of-license scenario does *not* apply to situations where there is a declared license and discovered license(s) with different obligations. Rather, the relationship between declared and discovered licenses is that of an AND; organizations must comply with the obligations of both licenses. This can include preserving copyright notices, reproducing license text, or even disclosing source code.
The Bottom Line on Declared and Discovered Licenses
Declared licenses tell you what the maintainer intended. Discovered licenses reveal what’s actually in the code. For compliance professionals, both perspectives are essential.
Deep scanning, strong internal policies, and continuous monitoring are the keys to managing license obligations accurately — and avoiding costly surprises when declared and discovered licenses don’t align.
For more information on FOSSA’s license compliance automation solution, please visit our website or get in touch with our team.