License Threat Groups
Licenses on open-source components declare obligations that the consumers of those components must follow. These obligations present different levels of risk depending on how the final application is deployed and distributed. License Threat Groups (LTG) categorize licenses by these obligations to allow organizations to manage licenses by the risk they present to the organization and how they are used in their applications.
Organizations manage their license policies by allocating licenses to the different threat groups rather than manually listing every license in the policy. Licenses Threat Groups in the provided reference policies are regularly audited by Sonatype's legal team to accurately allocate any newly discovered licenses into the correct buckets by reviewing all obligations associated with those licenses.
Reference Policy License Threat Group
The License Threat Groups are managed in the Orgs and Policies section. The following are the default license threat groups provided in the reference policies.
A given license may belong to more than one license threat group while every license is included in at least one.
Banned
Any licenses that should not be permitted in any circumstances due to the restrictive nature of the license terms. For example, this license threat group contains the AGPL licenses by default.
Copyleft
Strong copyleft licenses go a step further from weak copyleft licenses and mandate that any distributed software that links or otherwise incorporates such code be licensed under compatible licenses, which are a subset of the available open-source licenses. As a result, these licenses have been called viral.
License-AI-ML
As the use of Artificial Intelligence and Machine Learning tools become more prevalent, the need to track where they are used becomes more important. These are licenses associated with AI-ML libraries and LLMs.
Commercial
Licenses that contain non-Open Source terms, potentially requiring payment for the use of the software. Obligations in these licenses include:
Modification Forbidden
Decompilation Forbidden
Right to Audit Licensee License use
Subject to Payment
Non-Standard
Something out of the ordinary (e.g. If we ever meet, give me a beer license).
Sonatype Special Licenses
The license can't be determined. For example, the component's author may not have declared a license.
Weak Copyleft
Free software licenses that mandate that source code that descended from software licensed under them, will remain under the same, weak copyleft, license. However, one can link to weak copyleft code from code under a different license (including non-open-source code), or otherwise incorporate it in a larger software. Otherwise, weak copyleft licenses allow free distribution, use, and selling of copies of the code or the binaries (as long as the binaries are accompanied by the (unobfuscated) source code), etc.
Liberal
These licenses allow you to do almost anything conceivable with the program and its source code, including distributing them, selling them, using the resultant software for any purpose, incorporating them into other software, or even converting copies to different licenses, including that of non-free (so-called “proprietary”) software.
Sonatype Informational
License strings that signify Sonatype and/or Ecosystem license identification type (e.g. declared or observed) support.
Automatically Update Your License Threat Groups
While new licenses are continuously added to the platform, newly discovered licenses are not automatically added to the existing Licenses Threat Groups once the policies have been deployed. This is to avoid overwriting any modifications that your legal team may have performed. You should periodically update your License Threat Groups with new licenses every six months.
You can use the License Threat Group Updater tool (part of our experimental Labs program) to automatically update your license threat groups with the most up-to-date categorization.
Creating a License Threat Group
An important aspect of license threat groups is that each one also has a threat level, just like policy (from zero signifying no threat up to 10). Unless you have a specific legal recommendation/council, the default license threat groups will suffice, especially in the beginning.
If you desire, you can edit these default groups, or create entirely new ones. When creating license threat groups, keep in mind that they will be inherited from the organization to all associated applications.
To create a license threat group:
In the sidebar, select an organization.
Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
Click the Add a Threat Group button.
In the New License Threat Group editor, set the following attributes:
License Threat Group Name - Enter a name for the license threat group that is easily identifiable.
Threat Level - Select a number for the threat level that this group of licenses represents.
Included Licenses - Type a string of characters in the filter box or scroll the Available list to locate desired licenses by name.
In the Available column on the left, select a license in the list, then click the right arrow button to move the license to the Included column on the right.
If you accidentally add a wrong license, select the license in the Included column, then click the left arrow to return it to the Available column.
Click Create.
Editing a License Threat Group
To edit a license threat group:
In the sidebar, select the organization (or application, if created prior to IQ Server 1.20) in which a license threat group was created.
Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
In the list of License Threat Groups, click the one you want to edit (it has a chevron in its row to indicate it’s editable).
In the License Threat Group editor, you can set the following attributes:
License Threat Group Name - Enter a different name for the license threat group that is easily identifiable.
Threat Level - Select a number for the threat level that this group of licenses represents.
Included Licenses - Type a string of characters in the filter box or scroll the columns of licenses to locate desired licenses by name.
To add a license, select the license in the Available column on the left, then click the right arrow button to move the license to the Included column on the right.
To remove a license, select the license in the Included column, then click the left arrow to return it to the Available column.
Click Update.
Deleting a License Threat Group
To delete a license threat group:
In the sidebar, select the organization in which a license threat group was created.
Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
In the list of License Threat Groups, click the one you want to delete (it has a chevron in its row to indicate it’s editable).
In the License Threat Group editor, click the Delete License Threat Group button. A warning message is displayed.
Click Continue to permanently remove the License Threat Group or Cancel to keep it.
Troubleshooting
License Threat Group not Assigned
If you encounter policy violations due to "License Threat Group not Assigned", login to community.sonatype.com for instructions to update your IQ Server License Threat Groups.