License Threat Groups
License threat groups are groups of licenses, broken into categories of risk for the various types of licenses. They can help you achieve your goals related to enforcing the usage of components with licensing that matches the scope of your application.
Their primary purpose is to serve as the data points for license identification in the Application Composition Report. Moreover, they are a way to group risk, associated with open source licensing. Policies may be scoped to use a license threat group as a condition when evaluating applications. For more information about policies and creating conditions, see Policy Management.
Viewing a License Threat Group
Select an organization in the sidebar. A page of customizable settings is displayed.
Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section. The list of License Threat Groups is organized by where the groups are defined: Local for the currently selected organization or Inherited From an organization higher in the system hierarchy.
The following license threat groups are included by default for the root organization:
Banned | Any licenses that should not be permitted in any circumstances due to the restrictive nature of the license terms. For example, this license threat group contains the AGPL licenses by default. |
|---|---|
Copyleft | Strong copyleft licenses go a step further from weak copyleft licenses and mandate that any distributed software that links or otherwise incorporates such code be licensed under compatible licenses, which are a subset of the available open-source licenses. As a result, these licenses have been called viral. |
Commercial | Licenses that contain non-Open Source terms, potentially requiring payment for use of the software. Obligations include:
|
Non Standard | Something out of the ordinary (e.g. If we ever meet, give me a beer license). |
Sonatype Special Licenses | The license can't be determined. For example, the component's author may not have declared an license. |
Weak Copyleft | Free software licenses that mandate that source code that descended from software licensed under them, will remain under the same, weak copyleft, license. However, one can link to weak copyleft code from code under a different license (including non-open-source code), or otherwise incorporate it in a larger software. Otherwise, weak copyleft licenses allow free distribution, use, and selling of copies of the code or the binaries (as long as the binaries are accompanied by the (unobfuscated) source code), etc. |
Liberal | These licenses allow you to do almost anything conceivable with the program and its source code, including distributing them, selling them, using the resultant software for any purpose, incorporating them into other software, or even converting copies to different licenses, including that of non-free (so-called “proprietary”) software. |
Sonatype Informational | License strings that signify Sonatype and/or Ecosystem license identification type (e.g. declared or observed) support. |
Note
Consult with your legal department for EXACT definitions. The information provided above is for reference.
In general, a given license can belong to more than one license threat group and ideally, every license is included in at least one license threat group to classify the risk associated with it. However given that the set of licenses can grow over time and that further license threat groups are not automatically updated, there can also be licenses that are not included in any license threat group. To guard against the unknown risk such licenses pose to an application the aforementioned policy condition can also detect and report these unassigned licenses.
Creating a License Threat Group
An important aspect of license threat groups is that each one also has a threat level, just like policy (from zero signifying no threat up to 10). Unless you have a specific legal recommendation/council, the default license threat groups will suffice, especially in the beginning.
If you desire, you can edit these default groups, or create entirely new ones. When creating license threat groups, keep in mind that they will be inherited from the organization to all associated applications.
To create a license threat group:
In the sidebar, select an organization.
Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
Click the Add a Threat Group button.
In the New License Threat Group editor, set the following attributes:
License Threat Group Name - Enter a name for the license threat group that is easily identifiable.
Threat Level - Select a number for the threat level that this group of licenses represents.
Included Licenses - Type a string of characters in the filter box or scroll the Available list to locate desired licenses by name.
In the Available column on the left, select a license in the list, then click the right arrow button to move the license to the Included column on the right.
If you accidentally add a wrong license, select the license in the Included column, then click the left arrow to return it to the Available column.
Click Create.
Editing a License Threat Group
To edit a license threat group:
In the sidebar, select the organization (or application, if created prior to IQ Server 1.20) in which a license threat group was created.
Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
In the list of License Threat Groups, click the one you want to edit (it has a chevron in its row to indicate it’s editable).
In the License Threat Group editor, you can set the following attributes:
License Threat Group Name - Enter a different name for the license threat group that is easily identifiable.
Threat Level - Select a number for the threat level that this group of licenses represents.
Included Licenses - Type a string of characters in the filter box or scroll the columns of licenses to locate desired licenses by name.
To add a license, select the license in the Available column on the left, then click the right arrow button to move the license to the Included column on the right.
To remove a license, select the license in the Included column, then click the left arrow to return it to the Available column.
Click Update.
Deleting a License Threat Group
To delete a license threat group:
In the sidebar, select the organization in which a license threat group was created.
Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
In the list of License Threat Groups, click the one you want to delete (it has a chevron in its row to indicate it’s editable).
In the License Threat Group editor, click the Delete License Threat Group button. A warning message is displayed.
Click Continue to permanently remove the License Threat Group or Cancel to keep it.
Troubleshooting
License Threat Group not Assigned
If you encounter policy violations due to "License Threat Group not Assigned", login to community.sonatype.com for instructions to update your IQ Server License Threat Groups.