Package licenses

Analysis and display of license information

Packages stored in Bytesafe registries are scanned for license information. This includes both standardized open source licenses and custom licenses.

Detailed license information allows users to identify License Compliance Issues with the License Compliance plugin and get notified directly non-compliant, unlicensed or non-standard licenses .

License analysis

Package license information is assembled from:

License analysis of any LICENSE files available in package root
License analysis of any license text stored in other package files
Licenses metadata declared in package.json (license and old licenses tags), .pom, .nuspec files

To display the source for a specific license, hover over a license badge.

Enhanced License Compliance

Get in-depth License Compliance with Bytesafe Business & Enterprise plans. License information for free accounts is based on declared licenses in package.json, .pom, .nuspec metadata.

Identified package licenses

Identified licenses will be displayed as badges on both the package and version levels. Hover over a license badge for details on the source for the license.

package license display

Bytesafe differentiate between different license information types, depending on the information origin and if the license information can be matched to a standardized license id.

Observed licenses

Observed licenses are licenses where actual license files or license text are detected by License Compliance.

Observed standardized license are displayed with a white license badge.

Declared licenses

Declared licenses are license metadata (i.e. found in project files like package.json, .pom, .nuspec) that are missing the actual licenses text.

Declared standardized licenses are displayed using a yellow warning color.

Declared licenses signal a potential license issue as license text is often required for the license to be applicable. For registries with the License Compliance enabled, missing license issues can be opened in line with the applied License Policy.

Standardized licenses

License information identified by Bytesafe is compared to the list of standardized SPDX licenses. Licenses that are matched to a known type, will be classified as a standardized license.

License badges for standardized licenses provide a link to more detailed license information.

Unknown licenses

Packages files with license text that can’t be matched to any known SPDX license will be tagged with a license UNKNOWN.

For registries with the License Compliance enabled, license unknown issues can be opened in line with the applied License Policy.

Custom licenses

Custom licenses declared in package.json, .pom, .nuspec metadata are displayed alongside standardized licenses.

For registries with the License Compliance enabled, license unknown issues can be opened in line with the applied License Policy.

Multiple licenses from different sources

A single package can have multiple licenses and licenses declared in package.json, .pom, .nuspec may not match actual license text in package files.

More information on specific licenses

Users that require more information on a specific license can access an overview of the licenses directly from inside Bytesafe.

Clicking on the badge for any standardized license will direct the user to an overview page for the specific license.

license-information

What are open source software licenses?

Visit our knowledge resource on Open source licenses & compliance for more information on open source licenses, how it relates to your packages and why you should care about identifying the licenses for the packages you use.