8.2. License Threat Groups
License threat groups, are simply groups of licenses, broken into categories of
severity for the various types of licenses. They can help you to achieve your
goals related to enforcing the usage of components with licensing that matches
the scope of your application.
Their primary purpose is to serve as the data points for the License section of
the Application Composition Report. Moreover, they are a way to group risk,
associated with licensing. The following license threat groups are included by default.
-
Banned
-
Any licenses that should not be permitted in any circumstances. This license threat group contains the AGPL licenses by
default.
-
Copyleft
-
Strong copyleft licenses go a step further from weak copyleft licenses and
mandate that any distributed software that links or otherwise incorporates such
code be licensed under compatible licenses, which are a subset of the available
open-source licenses. As a result, these licenses have been called viral.
-
Non Standard
-
Something out of the ordinary (e.g. If we ever meet, give me a beer
license).
-
Sonatype Special Licenses
-
A license threat group for identifying situations where Sonatype has been unable to determine the license of a
component.
-
Weak Copyleft
-
Free software licenses that mandate that source code that descended from
software licensed under them, will remain under the same, weak copyleft,
license. However, one can link to weak copyleft code from code under a different
license (including non-open-source code), or otherwise incorporate it in a
larger software. Otherwise, weak copyleft licenses allow free distribution, use
, selling copies of the code or the binaries (as long as the binaries are
accompanied by the (unobfuscated) source code), etc.
-
Liberal
-
These licenses allow you to do almost anything conceivable with the
program and its source code, including distributing then, selling
them, using the resultant software for any purpose, incorporating into
other software, or even converting copies to different licenses,
including that of non-free (so-called “proprietary”) software.
|
|
Consult with your legal department for EXACT definitions. Information
provided above is from the following
reference.
|
8.2.1. Creating, Editing, and Deleting a License Threat Group
An important aspect of license threat groups is that each one also has a threat
level, just like policy (from zero signifying no threat all the way up to 10).
Unless you have specific legal recommendation / council, the default license
threat groups will suffice, especially in the beginning.
If you desire, you can edit these default groups, or create entirely new ones.
When creating license threat groups, keep in mind that they will be inherited
from the organization to all associated applications.
To create a license threat group:
-
Click the Manage Applications and Organizations icon
on the Nexus IQ Server
toolbar.
-
In the sidebar, select the desired organization or application.
-
In the Manage Applications and Organizations area, click Licenses.
-
Click the New License Threat Group button.
-
In the License Threat Group dialog box, set the following attributes:
-
Name - This is the name for your license threat group. When creating or editing the
name of a license threat group, remember to use something that is easily
identifiable. If you’re following along with our example in the next section,
use Banned Licenses.
-
Threat Level - This is the level of threat this group of licenses should
represent.
-
Applied and Available Licenses - Adding licenses to the license threat
group is not an actual requirement, but there really isn’t much use for simply
creating a group as a placeholder. So this is treated as a required field.
-
On the left are licenses that are included in the license threat group.
Click on a license to remove it.
-
On the right are the licenses that can be added the group. Click on a
license to add it.
-
Click Save.
-
Editing
-
To make changes to a license threat group, click on the Edit icon (shaped like a pencil).
-
Deleting
-
To delete a license threat group, just click on the Delete icon (shaped like a
trash can) next to the label name.
A few things to remember:
-
A set of default license threat groups are provided.
-
Applications inherit license threat groups from their organization.
-
An organization’s license threat groups can be seen by any of its
applications, the reverse is not true.
-
License threat groups can only be edited (or deleted) at the level they were
created.
8.2.2. Creating a Condition Based on a License Threat Group
In the example below a new condition for the license threat group, Banned
Licenses, will be added to an new policy.
In our instructions, we’ve made an assumption that you understand how to
create a policy.
-
Create a new policy.
-
In the Constraints area click on the Expand/Collapse icon (shaped like a
right-facing triangle). It’s next to the Constraint Name and should display
Unnamed Constraint.
-
Once the constraint is expanded, click the Constraint Name field and enter Banned License.
-
Now, in the Conditions area, change Age in the first drop down menu to
License Threat Group.
-
Next, in the second drop down menu choose is for the operator.
-
Finally, in the third drop down menu, find and select the Banned License
label you just created.
-
Click the Save button to finish.
8.2.3. Creating a Condition Based on an Unassigned License Threat Group
In most cases, a license is associated with one or more
License Threat Groups. However, it is possible
for a license to have no association with any
License Threat Group. You can create a Policy to
detect when a component has a license that is not assigned to any License Threat
Group.
In the example below a new condition for detecting components with licenses not
assigned to any License Threat Group will be added to a new policy.
In our instructions, we’ve made an assumption that you understand how to
create a policy.
-
Create a new policy.
-
In the Constraints area click on the Expand/Collapse icon (shaped like a
right-facing triangle). It’s next to the Constraint Name and should display
Unnamed Constraint.
-
Once the constraint is expanded, click the Constraint Name field and enter
Unassigned LTG.
-
Now, in the Conditions area, change Age in the first drop down menu to
License Threat Group.
-
Next, in the second drop down menu choose is for the operator.
-
Finally, in the third drop down menu, find and select [unassigned].
-
Click the Save button to finish.
A violation of the policy above can be remediated simply by assigning the
license involved to a License Threat Group.
To remediate a specific component, use the Component Information Panel (CIP)
License tab to set the license Status to Selected or Overridden, and
then select a license that is associated with at least one
License Threat Group. Managing component
licenses is discussed further in the editing License Status and Information section of the Application Composition Report chapter.