Component License Information
Just like IQ Server can have policies about security vulnerabilities, it can also have policies for the licenses associated with open-source components it might find in your applications.
When viewing an Application Composition Report, click on a row to bring up the Component Details Page for that component.
 |
Regardless of the kind of policy violation, you can view some information about the Licenses associated with that component in a few places.
First, in the Overview tab, scroll down to the Compare Versions table and view the Effective License row.
 |
For more detailed information, click the Legal tab. Here you can see the Effective, Declared, and Observed licenses.
 |
Understanding License Information
IQ Server has three identification criteria for licenses. They are:
The License taking effect. In the scenario where multiple licenses are found, including any that are observed, they will all be included here. If a license is selected or overridden, then that selected or overridden license will be considered effective and listed here. | |
The License that the developer of the component has identified. | |
The License that Sonatype has observed during its research |
It's not uncommon for a single component to be subject to multiple licenses. For example, the license information might read "EPL-1.0 or LGPL-2.0+, BSD-3-Clause". In this condensed expression, the word "or" denotes a choice the code author grants, meaning a consumer of the code can choose to either abide by the terms of EPL-1.0 or LGPL-2.0+. The "+" (plus) character at the end of a license name is short for "or newer/later versions", so for the example of "LGPL-2.0+" one is again given the choice of LGPL-2.0 or LGPL-2.1 or LGPL-3.0 or whatever newer versions of LGPL the future provides. Lastly, the "," (comma) in the license information denotes a logical conjunction/AND, meaning these license terms apply additionally. Summing up, the example component license "EPL-1.0 or LGPL-2.0+, BSD-3-Clause" conveys that some parts of the component are subject to EPL-1.0 or LGPL-2.0 or newer versions thereof and some parts of the component are subject to BSD-3-Clause.
In cases where there is no declared and/or observed licenses, a message will be displayed.
Sources were provided, but no license data was found. | |
Sonatype has no source for the component | |
Nothing was declared by the component's author/developer | |
The license is null. Unique to components claimed by you or your organization. Will also display when a new component is being processed by Sonatype. | |
Sonatype or the target ecosystem does not currently support automated license collection for this format. |
Selecting, Overriding, and Editing Licenses
Click the Edit button in the Legal tab to bring up the Edit Licenses tile.
|
 |
Use the Scope dropdown to set the status of the license at the required level, i.e. application, organization level or root organization.
Note
The organizational hierarchy has root organization at the highest level, followed by other organizations at multiple levels with applications linked to them. If you select an organization or root organization here, you're changing the status of the license for all organizations and applications that are under its hierarchical level.
Use the drop-down box to select the new status for the license.
License status descriptionThe default state. This license will be included in the count of license issues. | |
Indicates that the issue is being researched. This license will still be included in the count of license issues. | |
Creates a new drop-down box, allowing you to select another license. This will override any licenses that have been declared or observed. | |
Creates a new drop-down box where you can select from all possible licenses that were declared or observed. Used when you, as the consumer of the component, are given a choice between two licenses by the component's author. | |
Indicates that the licenses presented by IQ Server are correct. This license will still be included in the count of license issues. | |
Indicates that the license status will be the exact same as defined at the next higher scope. Used when you are unsure of the license status but need to stay compliant with the license obligation requirements of other apps and organizations. |