Understanding License Type

License Threat Groups allow us to categorize licenses, based on the potential threat they provide. In addition, there are other "license types" which we'll further describe here, as they can enhance your understanding of the threat, or alter the results in your policy violations. Please see Component License Information for basic license type descriptions.

Types of License Identification

There are three types of license identification:

  • Declared License relates to the license information supplied as part of the project which develops the component, typically declared at the root of the component, for example Java as part of the pom.xml.
  • Observed License relates to the license information observed as part of Sonatype's research. This may be as a result of a license embedded within the source code, or documented elsewhere within the project metadata, or website etc. This may or may not be the same as the Declared license. This may differ as a result of the re-use of code from another project, a developer deciding to license their code independently of the project, or other reasons.
  • Effective License relates to the combination of the Declared and Observed License types, which may lead to multiple options.

License Policy Options

When creating a license policy, there are four conditions that are available to process license risk:

License relates to the license type, where you are referencing the effective license(s).

Sonatype continually updates the license information within the product. For expediency throughout the user interface, there is a combination of short name and long name used in IQ server. For example, the Component Information Panel (CIP) and policy definition tend to the short name, while the license threat group condition creations use the long name. A mapping of common licenses can be found at https://spdx.org/licenses/.

In addition to actual license types, additional options include:

Long NameShort NameDescription
Not known at this time or there isnt oneNon-StandardWe have a non standard threat group.
No licenses declared in component descriptorNot DeclaredYou have declared no license, this different from the Not Provided license type, assuming that we may have embedded some license text but included no specific license type (i.e. Apache or GNU etc). This is valid across all ecosystems on a per component basis.
No License Information was ProvidedNot ProvidedWill appear when the license is actually null, this is unique to claimed components; in addition this may also apply as new components are being processed by Sonatype.
Not SupportedNot SupportedOnly seen as an Observed License attribute for non-java eco system where we dont ingest source license details.
No licenses found in sourcesNo Source License

This means that you have a source, but there are no license statements (i.e. no Observed License) otherwise we see an observed license.


No sources provided with componentNo SourcesThis means the component has no source code. This is valid across all eco-systems.