Not every company is going to have someone with Mullis' expertise, so IT vendors offer tools specifically to detect open-source code buried inside source files. Paul English, CTO at Kayak Software Corp. in Norwalk, Conn., uses a service from Black Duck Software Inc. in Waltham, Mass. Black Duck CEO Douglas Levin claims that his service detects more than 400 instances of open-source code found in projects on SourceForge and elsewhere.

English says it's critical for his business that Kayak pass a code audit because one of his firm's business scenarios involves being acquired. "We have to show due diligence that our code is clear," he says.

Black Duck and its main rival, San Francisco-based Palamida Inc., "fingerprint" your code. According to Ray Waldin, CTO at Palamida, a fingerprint is a unique mathematical token that the services compare against the millions of tokens they have on file. But, he adds, the process involves more than generating a hash (or token) of the code and doing a simple comparison. Palamida's service also evaluates code behavior - that is, the function of a given code snippet -- which can reveal code that's been modified or moved. His service ranks the portions of your code that allegedly contain open-source, identifies the projects involved and then, of course, points you to their licenses.

You don't actually send your source code to Black Duck or Palamida to be scrutinized. They send you a software tool that fingerprints your code by running a multipattern search that detects a source file's coding patterns.

Naturally, you can take a chance that you won't get caught violating an open-source license. But you should know that the Software Freedom Law Center is hiring more lawyers whose job will be to show you the error of your ways.