License Compliance

Stay on top of Licenses for open source dependencies

Package dependencies have license restrictions and obligations that must be complied with. Manage License Compliance for individual registries and the whole workspace with Bytesafe. Make sure packages you depend on are in compliance with your policies.

License compliance in Bytesafe:

  • License Policies - Govern the licenses to allow and disallow, and what licenses to block altogether for the License Compliance plugin.

  • License Compliance Plugin - Identifies license information in package dependencies and flags or quarantines license compliance issues.

  • License Dashboards - provide a holistic overview of all the license compliance information for a registry, together with information on any open License Issues.

License Policies

License policies are rules that govern how specific licenses and use cases are handled by the license compliance plugin.

Users can create and customize policies according to their needs and apply them to registries.

Policies are applied to registries by selecting it in the License Compliance plugin settings.

example license policy

Each license policy consists of license rules for any number of licenses. It also contains configuration on how to handle use-cases like missing or unknown licenses.

Policy name Name of policy. Used in the License Compliance plugin and on License Dashboards
License rules List of licenses to allow or disallow. Consists of a License, an associated Severity and a Description. Description is used in license issues opened by that rule.
Non-matching licenses Issue severity to be associated with any license that is not matched by the list of license rules. Can be used to allow or disallow any licenses not listed in the rules.
Unknown license Severity to be associated with license issues opened for unknown licenses. Set to No Risk to disable license issues for unknown licenses.
Missing license Severity to be associated with license issues opened for missing licenses. Set to No Risk to disable license issues for missing licenses.
Description / Instruction Text field to describe the intent of the policy and what it governs, instructions for other users in the workspace.

There are generally two approaches to configuring policies. Either provide a list of rules for the licenses to allow, and prevent all other licenses by setting a severity for Non-matching licenses. Or the inverse, provide a list of licenses to disallow and set Non-matching licenses to No risk to allow all licenses not matched (and disallowed) by the license rules.

License Policy Settings

License policies are configured and edited in the workspace settings, License policies tab.

license policy settings

Policies can be applied to any registry in a workspace.

To apply a policy for a specific registry, enable the License Compliance plugin and select the policy in the plugin settings.

Default & Template License Policies

Bytesafe provides a default policy and a selection of template policies. Policies provided by Bytesafe are marked with a TEMPLATE badge.

The default policy opens License issues for unlicensed. The policy is applied by default for new registries.

Default license policy

Template policies are used to demonstrate how license policies can be configured to allow and disallow combinations of licenses. Copies of a template can be saved and used as a basis for a custom policy.

Template policies should not be used for production use cases and can not be edited directly.

Enhanced License Identification

With license compliance enabled, the License Compliance Plugin scans for licenses information in your open source package dependencies.

Package license information is collected from LICENSE files available in package root and any license information stored in any other package file. This information supersedes any license metadata available in package.json.

The License Compliance plugin also opens issues for references to licenses in package.json metadata, where no actual license can be found in the package files. A potential issue as metadata alone does not equal an actual software license.

example of reference to license in metadata, but not actual license

License Dashboard

License dashboard is available for any registry with License Compliance Plugin enabled.

The dashboard provides an overview of all License compliance information for a registry, in accordance with the applied license policy.

example license dashboard

The information includes:

  • Detailed license composition - Break down of licenses found in a registry. Together with number of associated packages and issues
  • License risk distribution - distribution of license risk for a registry
  • License issues - Number of license issues opened by applied policy for the registry
  • Unique licenses - number of unique licenses identified in packages for a registry
  • License policy - Description and link for applied license policy

License Issues

License Issues are opened whenever a package license is detected with a severity from the applied license policy. Notifications are sent in accordance to a user’s notification settings.

The issue description provides details as to why the issue was opened with details from the applied license policy. In addition, a link to the license policy is available in the sidebar.

example license issue