A retailer builds its first open source license inventory.

Situation

A national retailer ran a large and fast moving software estate across customer facing commerce platforms, store systems, and internal tooling. Open source sat everywhere, adopted over years by dozens of teams making independent decisions. There was no single inventory of what the business ran or under which licenses. Each team knew its own stack. No one held the whole picture. For a business that processes payments and holds customer data, that blind spot had grown uncomfortable, and a board level question about software risk finally forced the issue.

The exposure

The trigger was the relicensing wave. The team had read that HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1 as of August 2023, and that Redis and Elastic had moved to the Server Side Public License. The honest answer to the obvious follow up question, do we run any of these and under what terms, was that nobody knew. Source available is not open source, and a component that had relicensed could be sitting in production under terms the retailer never agreed to. Without an inventory, the exposure could not be sized, and an audit or a vendor inquiry would have found it first.

Approach

We ran an open source license risk assessment to build the inventory from the ground up. We pulled dependency data across the estate, then constructed a full tree, direct and transitive, with the current license state attached to every node. The work deliberately reached past the named products that teams could list from memory and into the transitive layers where a relicensed library can hide. Each finding was ranked by exposure, and for every component that had changed terms we traced the blast radius through the systems built on it. Throughout, we worked only from the buyer side, with no vendor fee and no software to sell, so the inventory reflected the retailer's interest alone.

Outcome

The retailer received its first complete open source license inventory: a dependency tree of thousands of components with license state per node, and a ranked findings report in board language. The inventory surfaced a small number of relicensed components in production, including one that had moved to the Business Source License and sat inside an internal platform used across several teams. The exposure was real but bounded. Because it was found through the inventory rather than through an audit, the retailer had room to act. Most findings were low risk and required only documentation. The handful that mattered were sized with a cost to cure attached, which let leadership decide between a fork, a replacement, and a negotiated license on the facts. The inventory also became the evidence record the business could stand on if a vendor or an auditor ever asked.

Lessons for buyers

The first lesson is that you cannot manage what you cannot see, and most large estates have no single inventory until something forces one. The second is that the relicensed components that matter usually hide in transitive layers, not in the named products teams can recite. The third is that finding the exposure yourself, on your own timeline, is far cheaper than having an audit find it for you. An inventory is not a one time exercise either. Kept current through governance, it turns the next relicense from a surprise into a tracked event. For the wider context, see the pillar on license change and relicensing.

This case study is an anonymised composite. It names no client and reproduces no confidential detail. License names and dates are referenced for identification only and reflect the position as of the dates stated.