Component License Information
In some cases, the licenses of a component is the last thing a development team will think about. This could simply be due to a misunderstanding of open source, or a situation where it’s nearly impossible to do the exhaustive research needed to determine the license for a given component, especially dependencies.
Even if you haven’t built policies around licenses the License Analysis tab provides license information about every component found in during a scan of your application.
This license information is provided via data collected from the Central Repository, as well as research conducted by Sonatype. In addition to the license information for each component, we’ll also assess a threat of each license, based on a set of default License Threat Groups. As with Security Issues, the best place to start is with the component list in the License Analysis tab, and then move into looking at additional details for individual components, making any license status changes as you see fit.
License Threat Group
License threat groups are based on what is configured for each organization or application. Additional information can be found in License Threat Groups.
How you manage your license threat groups directly impacts how threat is translated in the reports.
The component list on the License Analysis tab is more similar to the list on the Policy Violations tab, because it is a list of all components, not just those that have a license issue.
The list itself includes columns for License Threat, Component, and Status of the license issue. Clicking on the column provides sorting, while specific items can be searched using the field just below the column heading.
The list of components is ordered by license threat which is based on the threats assigned to the license threat groups. Though a single component may actually have several licenses, license threat will only show the highest threat. This threat, as we mentioned earlier, is based on four default categories, which correspond to four default license threat groups of the same name.
- No Threat
License status, like status for security vulnerabilities, allows you to track the process for license related research. In addition it provides a way to override a license in situation where you believe the license to be incorrect, or there is an option to choose a specific license.
The Component Information Panel (CIP)
To access the CIP for a component on the License Analysis tab, simply click on the component row. It will expand providing details in a number of sections. You will likely notice this looks the same as other CIP panels when clicking on other tabs of the Application Composition Report, and you would be correct. There is nothing additional provided by accessing the CIP via the License Analysis tab of the report. However, for this section, we want to focus on the license related information in the Component Info section, as well as the entire Edit Licenses and Audit sections.
Again, the information contained here would be the same, whether or not you clicked on the component in the License Analysis tab. However, this gives us the context to talk about the License related fields in this section.
License Identification Types
On the left side of the Component Info section, you should pay attention to three fields, which are described below.
- Declared License: these are the licenses that the developer of the component has identified.
- Observed License: these are the licenses that have been observed during Sonatype’s research.
- Effective License: the effective license displays license information based on one of two scenarios. In cases where multiple licenses are found, including any that are observed, these will all be included as effective. If a license is selected, or overridden, then that license will be considered effective, and listed here.
License Identification Values
In cases where there is no declared and/or observed licenses, a message will be displayed. There are several options, each with specific meaning:
- No Source License: sources were provided, but there was no license data found.
- No Sources: indicates we have no sources for the component.
- Not Declared: indicates nothing was declared by the author/developer.
- Not Provided: will appear when the license is actually null, and is unique to claimed components, but might also happen while new components are being processed by Sonatype.
- Not Supported: indicates Sonatype or the target ecosystem does not currently support automated license collection for this component format.
The graph itself is laid out like a grid, with each vertical piece representing a particular version. The selected version being identified by a vertical line.
While the information displayed in the graph includes information about popularity and violations of all types of policy, right now, just take a look at the policy threats for licensing (Click on the Details link to show policy threats for each policy type). The heatmap provides a quick way of identifying a component version with a suitable license.
Editing License Status and Information
Editing a license can be used for different purposes. One addresses the workflow of your research into a license related issue, while the other allows you to completely override a license all together. We’ll cover all this below, but first let’s take a look at the information displayed.
After clicking on a component in the list, and then the Licenses section of the CIP, the left side of the CIP displays the license(s) declared by the developer of the component, those that have been observed, and what is considered effective (a combination of the previous two). That is, unless they have been manually overridden or a specific license has been selected.
Next to each of these licenses is a box, displaying the severity of the license. This list can get long, so you may have to scroll to see all the licenses. Then, to the right of the license list, there are four drop down lists.
Scope allows you to apply the license status to this component by choosing application or to all components attached to the current application’s organization by choosing organization.
As we mentioned previously, Status provides a way to track your research, override a license, or select from an option. The available options are included below.
- Open: This is default status, and will be included in the count of license issues.
- Acknowledged: Acknowledged indicates the issue is being researched, and will still be included in the count of license issues.
- Overridden: This status will allow you to select one or more licenses from the License(s) dropdown (located just below the Status dropdown). This will override any licenses that have been declared or observed.
- Selected: In cases where there are multiple licenses, this option will populate the License(s) dropdown with any licenses found in the component, declared or observed. Multiple licenses can be selected.
- Confirmed: Confirmed simply indicates that the license(s) found are indeed correct, and will be included in any count of license issues.
- License(s): The License(s) drop down only displays given that a status of selected or overridden has been chosen. Given that it will present either a list of all licenses (if override is chosen) or only the declared and observed licenses (if selected is chosen). The license that is chosen will be displayed in the Effective License field in the Component Info section of the CIP. In addition, any overridden/selected license will be indicated with a label of same name, next to the license in this field.
A comment is not required, but is a good element to include whenever you are making changes to the License Status. This is because it provides a way to understand, as well as audit, the decisions made to change a license status. This comment will be included with the record in the Audit Log section of the CIP.
Once you have made all your selections, and entered any necessary comments, click the Update button to save the License Status change.