DepGuard: An Automated Framework for Intellectual Property Compliance and Licensing Risk Assessment for Open-Source AI Dependencies

Abstract

In recent times, there has been an emergence of multiple open source software and AI models ecosystem platforms. These licenses include but are not limited to GPL, MIT, Apache 2.0, and novel licenses developed specifically for AI, including LLaMA Community License and Gemma Terms of Use. However, each license has its own legal requirements and can create incompatibility in case these conditions are included together in one project, resulting in copyright issues and misuse. Tools like Black Duck and Snyk have been created to solve the licensing problems in software projects, however, none of them take into consideration the licensing in AI. This paper proposes DepGuard – an automatic framework consisting of three layers that (i) extracts software dependencies from either requirements.txt file or GitHub URLs, (ii) determines licenses using PyPI metadata API, GitHub API and SPDX license database, and (iii) uses an established rule-based engine to calculate compliance risks represented in a form of DepGuard Compliance Index (DCI). Ten publicly available open-source Python projects were analyzed to validate the effectiveness of the proposed approach. DepGuard was capable of identifying license conflicts with 94% precision while decreasing manual compliance analysis time by 80%.

Introduction

This text presents DepGuard, a system designed to automatically check software and AI model licensing compliance.

It begins by explaining that modern software heavily relies on open-source components, but many projects contain licensing conflicts. The problem becomes more complex with AI models (like LLaMA 3, Gemma, and Mistral), which often have usage-based restrictions rather than traditional open-source rules.

To address this, the paper proposes DepGuard, a three-layer automated compliance tool:

1. Dependency & License Detection – extracts software dependencies and identifies their licenses.
2. Compatibility Checker – evaluates whether different licenses are legally compatible using a risk matrix.
3. AI Model Scanner – analyzes AI model cards (e.g., Hugging Face) to detect usage restrictions like commercial limits or harmful-use bans.

A key contribution is the DepGuard Compliance Index (DCI), a numerical score (0–10) that measures legal and licensing risk based on dependency type, license severity, and commercial restrictions.

The system is tested on Python projects and achieves strong performance (about 94% precision, 89% recall, 91% F1-score).

Conclusion

DepGuard was introduced in this paper as a three-level automated IP compliance system that fills the critical gap of evaluating software dependencies\' licenses and AI model licenses together through a risk assessment pipeline. DepGuard Compliance Index (DCI) is a replicable risk metric calculation based on a formula that can be directly applied for decision-making such as proceed, examine, substitute, or halt. This was evaluated through experiment on ten projects, resulting in 94% accuracy in detecting license conflicts and up to 80% decrease in the need for manual reviews. By viewing open-source software licenses from an IP law perspective, DepGuard eliminates the knowledge gap in practice that makes many open-source AI projects potentially liable for copyright violation.

References

[1] Synopsys, Inc., “Open Source Security and Risk Analysis Report 2023,” Synopsys Cybersecurity Research Center, 2023. [2] B. L. Wadehra, Law Relating to Intellectual Property, 5th ed. New Delhi, India: Universal Law Publishing, 2012. [3] Hugging Face, “Model Hub Documentation,” 2024. [4] Government of India, The Copyright Act, 1957 (Act No. 14 of 1957), Ministry of Law and Justice, New Delhi, India. [5] Free Software Foundation, “GNU General Public License, Version 3,” 2007. [6] Free Software Foundation, “Various Licenses and Comments about Them,” 2024. [7] Meta Platforms, Inc., “LLaMA 3 Community License Agreement,” 2024. [8] Google LLC, “Gemma Terms of Use,” 2024. [9] FOSSA, Inc., “FOSSA: Open Source License Compliance,” 2024. [10] Snyk Ltd., “Snyk Open Source,” 2023. [11] D. M. German and A. E. Hassan, “License Integration Patterns: Addressing License Mismatches in Component-Based Development,” in Proc. 31st Int. Conf. Software Engineering (ICSE), Vancouver, Canada, 2009, pp. 188–198. [12] G. M. Kapitsaki, F. Kramer, and N. D. Tselikas, “Automating the License Compatibility Process in Open Source Software with SPDX,” Journal of Systems and Software, vol. 131, pp. 386–401, 2017. [13] Linux Foundation, “SPDX License List,” v3.23, 2024. [14] Jacobsen v. Katzer, 535 F.3d 1373 (Fed. Cir. 2008). [15] P. Ganguly, Intellectual Property Rights: Unleashing the Knowledge Economy, 1st ed. New Delhi, India: Tata McGraw-Hill, 2001. [16] D. F. Kuratko, Entrepreneurship: Theory, Process, and Practice, 10th ed. Mason, OH, USA: South-Western, 2016.

Copyright

Copyright © 2026 Kushal Gowda C, Kiran Kumar S, Ishaan C, Dr. Chitra B. T. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.