Assessing database license exposure in production

Databases are the part of the stack most likely to carry quiet license exposure. They are adopted early, run for years, and rarely get revisited once they work. When a database engine changes its license, the software keeps serving traffic while the terms underneath it shift, and the change goes unnoticed until something forces a look. The aim of an assessment is to bring that hidden state into the open and turn it into a map you can act on and defend.

Start with a complete inventory

Everything begins with knowing what you run. Build a complete inventory of every database engine in production, its version, and where it lives, direct and transitive. This is harder than it sounds, because databases arrive in many ways. A team installs one deliberately. A vendor appliance bundles another. An acquired product embeds a third. A container image pulls a fourth as a dependency. An inventory that only captures the instances someone meant to install will miss the ones that matter most. The version detail is essential, because the governing license follows the version, and a single engine can span several license states across your estate.

Identify which engines changed terms

Against that inventory, flag the engines that have relicensed. The major moves are well known. Redis moved from its permissive open license to a dual Redis Source Available License version 2 and Server Side Public License model as of March 2024, and later added the GNU AGPL version 3 as an open license option as of 2025. Elasticsearch and Kibana moved from Apache 2.0 to the Server Side Public License and the Elastic License as of 2021. MongoDB moved to the Server Side Public License in 2018. None of the source available licenses here is approved by the Open Source Initiative, and the AGPL, while open source, is strong copyleft. Each of these engines is common enough that most large estates run at least one, frequently without a current record of which license version applies.

Classify use against each license

With the relicensed engines flagged, classify how each is deployed, because deployment drives exposure far more than presence does. For source available licenses such as the Server Side Public License, the question that matters is whether you offer the database as a service to third parties. For copyleft licenses such as the GNU AGPL, the question is whether the database is reachable by users over a network in a way that could attach disclosure obligations. The same engine can be entirely permitted as an internal cache or search index and genuinely exposed inside a customer facing service. Separate the clearly permitted internal deployments from the cases that sit near a restriction, and treat the latter as items for your counsel rather than calls you make alone.

Size the exposure that matters

For each deployment that sits near a restriction, attach two numbers in board language: the cost of the exposure if the restriction applies, and the cost to cure it. The cost to cure varies by path. Migrating to a fork such as Valkey for Redis or OpenSearch for Elasticsearch carries engineering effort that depends on which proprietary features you rely on. Adopting an open license option may carry obligations rather than fees. Licensing commercially carries a negotiated cost. Removing the dependency carries its own work. A bounded number on each path turns an open ended worry into a decision a board can make, and it is the difference between managing exposure and being surprised by it.

Keep the assessment current

A database license assessment that is accurate today drifts tomorrow, because new versions ship, new engines enter through procurement and acquisition, and licenses continue to change. Treat the map as a living artifact, refreshed on a schedule and wired into intake so a new database is classified when it enters rather than during an audit. This is where assessment meets governance. The same map that answers a vendor or an examiner today is the early warning system that catches the next relicense before it becomes a finding. For the broader pattern, read our pillar on Redis and Elastic database licensing, and for related reading see Redis and the AGPL reversal, whether your Elasticsearch use is affected, and vector database licensing risk to watch.