What can happen in the worst case if they don't pay attention to their OSS licenses?
They can be slapped with a sales ban, pay hefty fines, or even be forced to release their own source code for their product and lose their intellectual property.
Commercial software usually consists of self-written code of the software producer and hundreds of free open source components (OSS). Each of these components is under some license, with all its conditions to be fulfilled by the software producer. Some conditions are simple - others can destroy their business model (e.g. strict copyleft and some weak copyleft licenses), still other licenses fight each other - making the whole software incompliant.
Not long ago, I was asked to take responsibility for software license risks in addition to application security risks. I asked the developers for the compliance package for the OSS. I was provided with a list of 30 license names.
The first shock: The "compliance list" for our software customers should not only list the licenses, but also fulfill their conditions. For example, it had to list the names of the authors of the OSS components, include a disclaimer for a component, and provide the individual OSS components in source code (!) form. Here it was not even mentioned to which component which license referred to.
In the second step, I generated a detailed "bill of materials" (SBOM) of the software. Instead of 30 licenses I found 1,200 OSS components! I won't tell how many evil licenses I found - now there are none left.
The third surprise I discovered when we found GPL code hidden in the code of an OSS component under a harmless license. This meant that the harmless component was suddenly no longer commercially viable. Knowing these pitfalls prevented the worst and secured the software delivery. But this requires expert knowledge!
If you want to know more or need help, look here: https://wobeecon.com.
