Advanced Legal Pack Quickstart
Using the Advanced Legal Pack
Login to Sonatype Lifecycle, and select Legal from the navigation menu. Use the Legal Obligations page to manage your legal obligations and attributions.
You can manage your legal obligations and attributions from this page.
The Applications tab contains a list of all applications detected during the last scan. The Components tab contains all components used by every application scanned by the Sonatype IQ Server
From here, you will be able to manage your legal obligations and attributions via the Legal Backlog. The Legal Backlog provides a list of your applications with information on the last scan, application categories, and the components reviewed.
On the Applications tab, you'll see a list of every application known by your IQ Server. Use the Filter button at the top right to narrow your results by organization, application, application category, stage, or review progress. Clicking the Create Attribution Report will create an attribution report for all the applications currently filtered for.
On the Components tab, you'll see a list of every component in every application known by the IQ Server. Like before, use the Filter button at the top right to narrow your results by organization, application, application category, stage, or review progress.
 |
Selecting an application from the Applications tab takes you to the Application Legal Details page. Here, you will see a list of all components in that application, and view details on their licenses, completed obligations, and review status. This is also where you can create an Attribution Report for just the selected application.
Click on the Create Attribution Report as shown below.
Note
The report generation time for Attribution Reports could be longer for a large no. of applications or components. We estimate a response time of 1 minute for generation of attribution reports for around 1000 components. For environments using reverse proxy, we recommend increasing the reverse proxy timeout to generate Attribution Reports for a large no. of applications or components.
Refer to License Legal REST API for more information on Attribution Report templates and other customizations.
 |
Selecting a component from the Applications Legal Details page or the Components tab of the Legal Backlog takes you to the Component License Details page. The top portion of the screen gives you an overview of your review progress and other license details. The remainder of the screen is where you will review your license obligations, and add or edit copyright statements, notice texts, license texts, and attributions.
 |
Example Workflows with the ALP
Most legal teams don’t currently have a tool to support their work and rely on manual processes to manage compliance and licensing. The ALP automates and reduces these manual, time-consuming tasks. See below for some examples:
Scenario | Lifecycle Workflow | ALP Workflow |
|---|---|---|
As a release manager/legal reviewer, I’m being asked to provide an attribution report meeting the obligations of our OSS dependencies. | 1. Export raw legal data out of Lifecycle as a CSV. 2. Spend upwards of 60 hours collecting data for a single application. | 1. Automatically collect the required legal data 2. Edit that data, as needed 3. Use a form to generate an attribution report |
As a legal reviewer, I’m being asked by a third-party organization to provide extended legal data about components my development teams would like to use for approval. | No Lifecycle workflow. Alternative: Download the component and use Grep, or a third-party tool, to try and collect the data. | 1. Select a component from the list of obligations 2. Export the extended legal data |
As a legal reviewer, I would like more information about components with a Non-Declared, See-License, or Non-Standard license detection. | No Lifecycle workflow Alternative: Download the component and use Grep, or a third-party tool, to try and collect the data. | 1. Select a component from the list of obligations 2. Check the extended legal data for potential detections that Lifecycle is not able to perform |