68% of commercial codebases now carry license conflicts. AI coding assistants are the leading cause.
GPL code reproduced without attribution by an AI tool is still GPL code. Your product still carries the obligation.
and
License laundering from AI tools is creating IP exposure that most legal teams don't know exists yet.
Of commercial codebases contain open source license conflicts in 2026 — the highest rate in OSSRA history, driven by a 12-point increase in a single year. Source: 2026 OSSRA Report.
Maximum license conflicts found in a single codebase in the OSSRA 2026 audit. One AI-heavy codebase. One potential legal catastrophe at the next M&A transaction.
Of organizations evaluate AI-generated code for IP and license risks. 46% do not — accumulating legal debt that will surface at acquisition, litigation, or regulatory review.
Of global annual revenue — maximum EU CRA penalty for non-conformity combined with false reporting. IP-related non-disclosure to regulators carries separate exposure.
Sources: 2026 OSSRA Report. EU CRA penalty framework. Black Duck AI Code Governance research 2026.
AI coding assistants don't know — or preserve — the license obligations of the code they reproduce.
- 01
Detect license laundering at the snippet level
Black Duck's snippet analysis identifies fragments of code reproduced from GPL, LGPL, AGPL, and other copyleft sources — even when the AI assistant removed the license header, reformatted the code, or presented it as original. The legal obligation travels with the code, not with the attribution.
- 02
Identify obligations before they become disputes
Black Duck tracks 3,000+ license types across 10M+ open source projects. Every component, every snippet, every AI-generated fragment is assessed for license type, commercial use restrictions, source disclosure obligations, patent risks, and compatibility conflicts with your commercial license terms.
- 03
Produce documented IP decisions for every conflict
X-DLM™ routes every Black Duck license finding into a Polarion work item with assigned legal or engineering owner, conflict description, decision options, sign-off workflow, and resolution record. The outcome is a documented IP decision log — available for M&A diligence, customer legal review, or CRA conformity evidence.
- 04
EU CRA conformity — legal's role in the evidence chain
EU CRA requires manufacturers to maintain evidence of secure-by-design practices, SBOM accuracy, and vulnerability response governance. Legal teams participate in the Polarion approval workflow for license conflicts, high-severity vulnerabilities, and risk acceptance decisions — producing the cross-functional evidence trail CRA assessors require.
See how Siemens Polarion and Black Duck become one governed software risk workflow.
X-DLM™ turns Black Duck software supply chain intelligence into Siemens Polarion work items, requirements links, approvals, escalation paths, and continuously maintained evidence.
Brand authority buyers recognize
Backed by Siemens lifecycle governance and Black Duck AppSec intelligence.
Siemens Polarion ALM
Polarion provides the lifecycle system of record for requirements, tests, approvals, traceability, workflow automation, audit evidence, and regulated software delivery.
Black Duck Software Composition Analysis
Black Duck identifies open source and third-party components across source, binaries, containers, firmware, snippets, AI-generated code, and C/C++ environments without package managers.
AI software companies face two EU frameworks simultaneously — and most are unprepared for either.
EU CRA requires SBOM, vulnerability governance, and secure-by-design evidence for every software product with digital elements. The EU AI Act layers conformity obligations on top for any AI system deployed in high-risk categories. Neither waits for the other.
View EU CRA, AI Act & All Frameworks →Identify AI license liability before it finds you.
At M&A, at litigation, or at EU CRA conformity assessment.
See how X-DLM™ integrates Black Duck's snippet-level license analysis with Siemens Polarion's IP decision workflows — producing documented license conflict resolution records for M&A, enterprise procurement, EU CRA conformity, and litigation defensibility.