License Compliance

Stay on top of Licenses for open source dependencies

Package dependencies have license restrictions and obligations that must be complied with. Manage License Compliance for individual registries and the whole workspace with Bytesafe. Make sure packages you depend on are in compliance with your policies.

License compliance in Bytesafe:

  • License Policies - Governs which licenses to allow and disallow, and what licenses to block altogether for the License Compliance plugin.

  • License Compliance Plugin - Identifies license information in package dependencies and flags or quarantines packages with license compliance issues.

  • License Dashboards - provides a holistic overview of all the license compliance information for a registry, including information on any open License Issues.

License compliance is a premium plan feature. Free plan users are limited to declared licenses found in project files like package.json, pom.xml or .nuspec. Upgrade to a premium plan to identify actual license text in package files.

License Policies

License policies are rules that govern how specific licenses and use cases are handled by the license compliance plugin.

Users can create and customize policies according to their needs and apply them to registries.

Policies are applied to registries by selecting it in the License Compliance plugin settings.

example license policy

Each license policy consists of license rules for any number of licenses. It also contains configuration on how to handle use-cases like missing or unknown licenses.
Policy name Name of policy. Used in the License Compliance plugin and on License Dashboards
License rules List of licenses to allow or disallow. Consists of a License, an associated Severity and a Description. Description is used in license issues opened by that rule.
Non-matching licenses Issue severity to be associated with any license that is not matched by the list of license rules. Can be used to allow or disallow any licenses not listed in the rules.
Unknown license Severity to be associated with license issues opened for unknown licenses that can’t be identified as a known SPDX license. Set to No Risk to disable license issues for unknown licenses.
Missing license Severity to be associated with license issues when no licenses information is found in the package. This includes declared licenses (i.e. found i project files like package.json etc.) that are missing the actual licenses text. Set to No Risk to disable license issues for missing licenses.
Description Text field to describe the intent of the policy and what it governs, instructions for other users in the workspace.

There are generally two approaches to configuring policies. Either provide a list of rules for the licenses to allow, and prevent all other licenses by setting a severity for Non-matching licenses.

Or the inverse, provide a list of licenses to disallow and set Non-matching licenses to No risk to allow all licenses not matched (and disallowed) by the license rules.

License Policy Settings

License policies are configured and edited in the workspace settings, License policies tab.

license policy settings

Policies can be applied to any registry in a workspace.

To apply a policy for a specific registry, enable the License Compliance plugin and select the policy in the plugin settings.

Default & Template License Policies

Bytesafe provides a default policy and a selection of template policies. Policies provided by Bytesafe are marked with a TEMPLATE badge.

The default policy opens License issues for unlicensed. The policy is applied by default for new registries.

Default license policy

Template policies are used to demonstrate how license policies can be configured to allow and disallow combinations of licenses. Copies of a template can be saved and used as a basis for a custom policy.

Template policies should not be used for production use cases and can not be edited directly.

Read and understand license conditions
Template licenses should not be considered legal advice. Always read, understand and carefully consider software licenses to remain compliant.

Enhanced License Identification

With license compliance enabled, the License Compliance Plugin scans for licenses information in your open source package dependencies.

Package license information is assembled from:

  • LICENSE files available in package root
  • License text found in other package files
  • License metadata declared in package.json, .pom, .nuspec files.

Bytesafe differentiates between observed licenses and declared licenses.

Observed licenses

Observed licenses are identified licenses in actual LICENSE files or license text in other project files.

Observed license badge display

Observed licenses that can be matched to a standardized SPDX license are displayed with a white license badge.

Declared licenses

Declared licenses are references to licenses in metadata (i.e. found in project files like package.json, .pom, .nuspec) where the the actual licenses text is missing.

Declared licenses signal a potential license issue as license text is often required for the license to be applicable.

Declared licenses are displayed using a yellow warning color.

Missing license issues can be opened for declared licenses in line with the applied License Policy.

example of declared license in metadata, but missing actual license

License Dashboard

License dashboard is available for any registry with License Compliance Plugin enabled.

The dashboard provides an overview of all License compliance information for a registry, in accordance with the applied license policy.

example license dashboard

The information includes:

  • Detailed license composition - Break down of licenses found in a registry. Together with number of associated packages and issues
  • License risk distribution - distribution of license risk for a registry
  • License issues - Number of license issues opened by applied policy for the registry
  • Unique licenses - number of unique licenses identified in packages for a registry
  • License policy - Description and link for applied license policy

License Issues

License Issues are opened whenever a package license is detected with a severity from the applied license policy. Notifications are sent in accordance to a user’s notification settings.

The issue description provides details as to why the issue was opened with details from the applied license policy. In addition, a link to the license policy is available in the sidebar.

example license issue

There are several license issue types. The appropriate type is assigned according to the root cause of the license issue.

License issue Description
BAD LICENSE Issues opened for identified licenses linked to a severity in the applied license rule.
MISSING LICENSE Issues opened for when no licenses file or text is observed in package files. This includes declared licenses (i.e. found i project files like package.json etc.) that are missing the actual licenses text, which is often required for the license to be applicable.
UNKNOWN LICENSE Issues opened for license found in a known file (i.e. LICENSE, LICENSE.txt, package.json etc.) that can’t be identified as a known SPDX license.
NO LICENSE Issues opened for when no licenses information is observed or declared in a package.