SBOM Manager Legal View
To access the Legal view, you must be licensed for all three solutions: SBOM Manager, Sonatype Lifecycle, and the Advanced Legal Pack (ALP).
The Legal view allows you to identify component licenses in SBOMs, flag policy issues, and generate detailed reports during application-composition analysis. For more information, see the ALP Quickstart.
Understanding License Information
IQ Server has the following identification criteria for licenses:
Effective License | The License taking effect. In the scenario where multiple licenses are found, including any that are observed, they will all be included here. If a license is selected or overridden, then that selected or overridden license will be considered effective and listed here. |
|---|---|
Declared License | The License that the developer of the component has identified. |
Observed License | The License that Sonatype has observed during its research. |
It's not uncommon for a single component to be subject to multiple licenses. For example, the license information might read "EPL-1.0 or LGPL-2.0+, BSD-3-Clause". In this condensed expression, the word "or" denotes a choice the code author grants, meaning a consumer of the code can choose to either abide by the terms of EPL-1.0 or LGPL-2.0+. The "+" (plus) character at the end of a license name is short for "or newer/later versions", so for the example of "LGPL-2.0+" one is again given the choice of LGPL-2.0 or LGPL-2.1 or LGPL-3.0 or whatever newer versions of LGPL the future provides. Lastly, the "," (comma) in the license information denotes a logical conjunction/AND, meaning these license terms apply additionally. Summing up, the example component license "EPL-1.0 or LGPL-2.0+, BSD-3-Clause" conveys that some parts of the component are subject to EPL-1.0 or LGPL-2.0 or newer versions thereof and some parts of the component are subject to BSD-3-Clause.
In cases where there is no declared and/or observed licenses, a message will be displayed.
No Source License | Sources were provided, but no license data was found. |
|---|---|
No Sources | Sonatype has no source for the component. |
Not Declared | Nothing was declared by the component's author/developer. |
Not Provided | The license is null. Unique to components claimed by you or your organization. Will also display when a new component is being processed by Sonatype. |
Not Supported | Sonatype or the target ecosystem does not currently support automated license collection for this format. |
Selecting and Overriding Licenses
In the Legal view, select a component, and on the Attribution Summary panel, click the Edit button located in the Licenses section.
An Edit Licenses slide-in panel will appear on the right-hand side of the workspace:
Use the Scope drop-down list to set the scope of the license at the required level, i.e. application, organization level or root organization.
License Status Inheritance
The organizational hierarchy has root organization at the highest level, followed by other organizations at multiple levels with applications linked to them. If you select an organization or root organization here, you're changing the status of the license for all organizations and applications that are under its hierarchical level.
Use the Status drop-down list to select the new status for the license.
License status descriptionOpen | The default state. This license will be included in the count of license issues. |
|---|---|
Acknowledged | Indicates that the issue is being researched. This license will still be included in the count of license issues. |
Overridden | Creates a new drop-down box, allowing you to select another license. This will override any licenses that have been declared or observed. |
Selected | Creates a new drop-down box where you can select from all possible licenses that were declared or observed. Used when you, as the consumer of the component, are given a choice between two licenses by the component's author. |
Confirmed | Indicates that the licenses presented by IQ Server are correct. This license will still be included in the count of license issues. |
Inherit Status (Open) | Indicates that the license status will be the exact same as defined at the next higher scope. Used when you are unsure of the license status but need to stay compliant with the license obligation requirements of other apps and organizations. |
Selected and Overridden License Status Tags
SBOM Manager displays status tags for each Selected or Overridden license configured in ALP, Sonatype Lifecycle, or SBOM Manager.