OpenSourceForkShield
FR Request a review

B2B open-source forks

Find your obligations before your fork becomes a legal, product or security risk.

An operational diagnostic for companies modifying, hosting, redistributing or selling products based on open-source code.

Run the checklist Compare tools
82risk
GPL
source evidence
AGPL
network trigger
SBOM
CycloneDX
SCA
critical CVEs
AGPL/GPLAttributionSBOMSCAProprietary pluginsRemediation

What the diagnostic covers

AGPL/GPL obligations

Trigger analysis: distribution, SaaS, modification, combination, libraries, modules and network access.

Corresponding source

Evidence check for complete source, build scripts, patches, notices, instructions and delivery method.

Attribution and notices

Review of licenses, copyrights, NOTICE files, third-party credits, product mentions, docs and customer archives.

Proprietary plugins

Boundary analysis between open-source core, internal extensions, interfaces, linking, packaging and license terms.

SBOM and SCA

CycloneDX/SPDX inventory, transitive dependencies, SBOM maturity scoring and critical component prioritization.

Component security risk

CVE exposure, maintainability, abandoned projects, available fixes, divergent forks and upgrade planning.

Remediation checklist

Each item maps to expected evidence and a concrete remediation action.

  1. Map components and licenses with version, provenance and product usage.
  2. Identify strong copyleft, weak copyleft and permissive obligations by exposure surface.
  3. Verify corresponding source is reproducible and deliverable to customers or users.
  4. Separate proprietary plugins with documented interfaces and a defensible packaging strategy.
  5. Generate a CycloneDX or SPDX SBOM and integrate it into the release process.
  6. Prioritize exploitable vulnerabilities and components without active maintainers.
  7. Prepare an executive report: risks, evidence, action owners, deadlines and estimated cost.

SCA, SBOM and OSS/legal advisory comparison

The MVP ranks options by use case, not by marketing claims.

CategoryBest fitLimits to verify
Commercial SCA Large product portfolio, mature CI/CD, need for centralized policies. License coverage, false positives, SBOM export, developer-based pricing.
Open-source SBOM Autonomous technical team, SPDX/CycloneDX need and fine pipeline control. Maintenance, non-lawyer UX, metadata quality.
OSS/legal firm Strategic fork, potential dispute, M&A diligence, sensitive AGPL/GPL clauses. Lead time, cost, need for prepared technical evidence.
Component security audit Exposed product, dependency debt, customer or cyber-insurance pressure. Business prioritization, real exploitability, tracked remediation.
SCA/SBOM solutions OSS/legal review

Report ready for executives and product teams

The expected output combines risk score, applicable obligations, missing evidence, quick wins, legal actions and technical backlog. It bridges CTO, product, legal and compliance teams.

General information, not legal advice. Validate sensitive decisions with qualified counsel.