Skip to main content

Component License Information

Just like IQ Server can have policies about security vulnerabilities, it can also have policies for the licenses associated with open-source components it might find in your applications.

When viewing an Application Composition Report, click on a row to bring up the Component Details Page for that component.

108961110.png

Regardless of the kind of policy violation, you can view some information about the Licenses associated with that component in a few places.

First, in the Overview tab, scroll down to the Compare Versions table and view the Effective License row.

95387741.png

For more detailed information, click the Legal tab. Here you can see the Effective, Declared, and Observed licenses.

150406464.png

Understanding License Information

IQ Server has three identification criteria for licenses. They are:

Effective License

The License taking effect. In the scenario where multiple licenses are found, including any that are observed, they will all be included here. If a license is selected or overridden, then that selected or overridden license will be considered effective and listed here.

Declared License

The License that the developer of the component has identified.

Observed License

The License that Sonatype has observed during its research

It's not uncommon for a single component to be subject to multiple licenses. For example, the license information might read "EPL-1.0 or LGPL-2.0+, BSD-3-Clause". In this condensed expression, the word "or" denotes a choice the code author grants, meaning a consumer of the code can choose to either abide by the terms of EPL-1.0 or LGPL-2.0+. The "+" (plus) character at the end of a license name is short for "or newer/later versions", so for the example of "LGPL-2.0+" one is again given the choice of LGPL-2.0 or LGPL-2.1 or LGPL-3.0 or whatever newer versions of LGPL the future provides. Lastly, the "," (comma) in the license information denotes a logical conjunction/AND, meaning these license terms apply additionally. Summing up, the example component license "EPL-1.0 or LGPL-2.0+, BSD-3-Clause" conveys that some parts of the component are subject to EPL-1.0 or LGPL-2.0 or newer versions thereof and some parts of the component are subject to BSD-3-Clause.

In cases where there is no declared and/or observed licenses, a message will be displayed.

No Source License

Sources were provided, but no license data was found.

No Sources

Sonatype has no source for the component

Not Declared

Nothing was declared by the component's author/developer

Not Provided

The license is null. Unique to components claimed by you or your organization. Will also display when a new component is being processed by Sonatype.

Not Supported

Sonatype or the target ecosystem does not currently support automated license collection for this format.

Selecting, Overriding, and Editing Licenses

Click the Edit button in the Legal tab to bring up the Edit Licenses tile.

150406464.png
150406472.png

Use the Scope dropdown to set the status of the license at the required level, i.e. application, organization level or root organization.

Note

The organizational hierarchy has root organization at the highest level, followed by other organizations at multiple levels with applications linked to them. If you select an organization or root organization here, you're changing the status of the license for all organizations and applications that are under its hierarchical level.

Use the drop-down box to select the new status for the license.

Open

The default state. This license will be included in the count of license issues.

Acknowledged

Indicates that the issue is being researched. This license will still be included in the count of license issues.

Overridden

Creates a new drop-down box, allowing you to select another license. This will override any licenses that have been declared or observed.

Selected

Creates a new drop-down box where you can select from all possible licenses that were declared or observed. Used when you, as the consumer of the component, are given a choice between two licenses by the component's author.

Confirmed

Indicates that the licenses presented by IQ Server are correct. This license will still be included in the count of license issues.

Inherit Status (Open)

Indicates that the license status will be the exact same as defined at the next higher scope. Used when you are unsure of the license status but need to stay compliant with the license obligation requirements of other apps and organizations.