Component License Information
Just like IQ Server can have policies about security vulnerabilities, it can also have policies for the licenses associated with open-source components it might find in your applications.
Viewing License Information
When viewing an Application Composition Report, click on a row to bring up the Component Details Page for that component.
Regardless of the kind of policy violation, you can view some information about the Licenses associated with that component in a few places.
First, in the Overview tab, scroll down to the Compare Versions table and view the Effective License row.
For more detailed information, click the Legal tab. Here you can see the Effective, Declared, and Observed licenses.
Understanding License Information
IQ Server has three identification criteria for licenses. They are:
|The License that the developer of the component has identified.|
|The License that Sonatype has observed during its research|
|The License taking effect. In the scenario where multiple licenses are found, including any that are observed, they will all be included here. If a license is selected or overridden, then that selected or overridden license will be considered effective and listed here.|
It's not uncommon for a single component to be subject to multiple licenses. For example, the license information might read "EPL-1.0 or LGPL-2.0+, BSD-3-Clause". In this condensed expression, the word "or" denotes a choice the code author grants, meaning a consumer of the code can choose to either abide by the terms of EPL-1.0 or LGPL-2.0+. The "+" (plus) character at the end of a license name is short for "or newer/later versions", so for the example of "LGPL-2.0+" one is again given the choice of LGPL-2.0 or LGPL-2.1 or LGPL-3.0 or whatever newer versions of LGPL the future provides. Lastly, the "," (comma) in the license information denotes a logical conjunction/AND, meaning these license terms apply additionally. Summing up, the example component license "EPL-1.0 or LGPL-2.0+, BSD-3-Clause" conveys that some parts of the component are subject to EPL-1.0 or LGPL-2.0 or newer versions thereof and some parts of the component are subject to BSD-3-Clause.
In cases where there is no declared and/or observed licenses, a message will be displayed.
No Source License
|Sources were provided, but no license data found.|
|Sonatype has no source for the component|
|Nothing was declared by the component's author/developer|
|The licenses is null. Unique to components claimed by you or your organization. Will also display when a new component is being processed by Sonatype.|
|Sonatype or the target ecosystem does not currently support automated license collection for this format.|
Selecting, Overriding, and Editing Licenses
Click the Edit button in the Legal tab to bring up the Edit Licenses tile.
The radial buttons allow you to set the status of the license for the Application, Organization, or Root Organization level.
Remember, the organizational hierarchy has Root Organization at the highest level, followed by Organization and Application. If you select Organization or Root Organization here, you're changing the status of the license for more than just the current application.
Use the drop-down box to select the new status for the license.
|The default state. This license will be included in the count of license issues.|
|Indicates that the issue is being researched. This license will still be included in the count of license issues.|
|Creates a new drop-down box, allowing you to select another license. This will override any licenses that have been declared or observed.|
|Creates a new drop-down box where you can select from all possible licenses that were declared or observed. Used when you, as the consumer of the component, is given a choice between two licenses by the component's author.|
|Indicates that the licenses presented by IQ Server are correct. This license will still be included in the count of license issues.|