License Threat Groups

License threat groups, are simply groups of licenses, broken into categories of severity for the various types of licenses. They can help you to achieve your goals related to enforcing the usage of components with licensing that matches the scope of your application.

Their primary purpose is to serve as the data points for the License section of the Application Composition Report. Moreover, they are a way to group risk, associated with licensing.

You can customize a policy to use a license threat group as a condition when IQ Server evaluates applications. For more information about policies and creating conditions, see Getting Started with Policies.

Viewing a License Threat Group

To view a License Threat Group:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. Select an organization in the sidebar. A page of customizable settings is displayed.
  3. Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section. The list of License Threat Groups is organized by where the groups are defined: Local for the currently selected organization or Inherited From for an organization higher in the system hierarchy.

The following license threat groups are included by default for the root organization:

BannedAny licenses that should not be permitted in any circumstances due to the restrictive nature of the license terms. For example, this license threat group contains the AGPL licenses by default.
CopyleftStrong copyleft licenses go a step further from weak copyleft licenses and mandate that any distributed software that links or otherwise incorporates such code be licensed under compatible licenses, which are a subset of the available open-source licenses. As a result, these licenses have been called viral.
Commercial

Licenses that contain non-Open Source terms, potentially requiring payment for use of the software. Obligations include:

  • Modification Forbidden
  • Decomplilation Forbidden
  • Right to Audit Licensee License use
  • Subject to Payment
Non StandardSomething out of the ordinary (e.g. If we ever meet, give me a beer license).
Sonatype Special LicensesThe license can't be determined. For example, the component's author may not have declared an license. To learn more about why a license may not be detected, visit our Component License Information documentation.
Weak CopyleftFree software licenses that mandate that source code that descended from software licensed under them, will remain under the same, weak copyleft, license. However, one can link to weak copyleft code from code under a different license (including non-open-source code), or otherwise incorporate it in a larger software. Otherwise, weak copyleft licenses allow free distribution, use , selling copies of the code or the binaries (as long as the binaries are accompanied by the (unobfuscated) source code), etc.
LiberalThese licenses allow you to do almost anything conceivable with the program and its source code, including distributing then, selling them, using the resultant software for any purpose, incorporating into other software, or even converting copies to different licenses, including that of non-free (so-called “proprietary”) software.
Sonatype InformationalLicense strings that signify Sonatype and/or Ecosystem license identification type (e.g. declared or observed) support.

Consult with your legal department for EXACT definitions. Information provided above is from the following reference.

In general, a given license can belong to more than one license threat group and ideally, every license is included in at least one license threat group to classify the risk associated with it. But given that the set of licenses can grow over time and that further license threat groups are not automatically updated, there can also be licenses that are not included in any license threat group. To guard against the unknown risk such licenses pose to an application the aforementioned policy condition can also detect and report these unassigned licenses.

Creating a License Threat Group

An important aspect of license threat groups is that each one also has a threat level, just like policy (from zero signifying no threat all the way up to 10). Unless you have specific legal recommendation / council, the default license threat groups will suffice, especially in the beginning.

If you desire, you can edit these default groups, or create entirely new ones. When creating license threat groups, keep in mind that they will be inherited from the organization to all associated applications.

To create a license threat group:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. In the sidebar, select an organization.
  3. Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
  4. Click the Add a Threat Group button.
  5. In the New License Threat Group editor, set the following attributes:
    1. License Threat Group Name - Enter a name for the license threat group that is easily identifiable.
    2. Threat Level - Select a number for the threat level that this group of licenses represents.
    3. Included Licenses - Type a string of characters in the filter box or scroll the Available list to locate desired licenses by name.
      1. In the Available column on the left, select a license in the list, then click the right arrow button to move the license to the Included column on the right.
      2. If you accidentally add a wrong license, select the license in the Included column, then click the left arrow to return it to the Available column.
  6. Click Create.

As of IQ Server 1.20, license threat groups are no longer created at the application level. If you previously had license threat groups in your applications, you can still edit them, but we encourage you to migrate those license threat groups up to the organization.

Editing a License Threat Group

To edit a license threat group:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. In the sidebar, select the organization (or application, if created prior to IQ Server 1.20) in which a license threat group was created.
  3. Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
  4. In the list of License Threat Groups, click the one you want to edit (it has a chevron in its row to indicate it’s editable).
  5. In the License Threat Group editor, you can set the following attributes:
    1. License Threat Group Name - Enter a different name for the license threat group that is easily identifiable.
    2. Threat Level - Select a number for the threat level that this group of licenses represents.
    3. Included Licenses - Type a string of characters in the filter box or scroll the columns of licenses to locate desired licenses by name.
      1. To add a license, select the license in the Available column on the left, then click the right arrow button to move the license to the Included column on the right.
      2. To remove a license, select the license in the Included column, then click the left arrow to return it to the Available column.
  6. Click Update.

Deleting a License Threat Group

To delete a license threat group:

  1. Click the Organization & Policies icon  on the IQ Server toolbar.
  2. In the sidebar, select the organization in which a license threat group was created.
  3. Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
  4. In the list of License Threat Groups, click the one you want to delete (it has a chevron in its row to indicate it’s editable).
  5. In the License Threat Group editor, click the Delete License Threat Group button. A warning message is displayed.
  6. Click Continue to permanently remove the License Threat Group or Cancel to keep it.

Troubleshooting

License Threat Group not Assigned

If you encounter policy violations due to "License Threat Group not Assigned", login to community.sonatype.com for instructions to update your IQ Server License Threat Groups.