In some cases, the licenses of a component is the last thing a development team will think about. This could simply be due to a misunderstanding of open source, or a situation where it’s nearly impossible to do the exhaustive research needed to determine the license for a given component, especially dependencies.
Even if you haven’t built policies around licenses the License Analysis tab provides license information about every component found in during a scan of your application.
This license information is provided via data collected from the Central Repository, as well as research conducted by Sonatype. In addition to the license information for each component, we’ll also assess a threat of each license, based on a set of default License Threat Groups. As with Security Issues, the best place to start is with the component list in the License Analysis tab, and then move into looking at additional details for individual components, making any license status changes as you see fit.
License threat groups are based on what is configured for each organization or application. Additional information can be found in the License Threat Groups section of the Policy Management chapter.
How you manage your license threat groups directly impacts how threat is translated in the reports. |
The component list on the License Analysis tab is more similar to the list on the Policy Violations tab, because it is a list of all components, not just those that have a license issue.
The list itself includes columns for License Threat, Component, and Status of the license issue. Clicking on the column provides sorting, while specific items can be searched using the field just below the column heading.
The list of components is ordered by license threat which is based on the threats assigned to the license threat groups. Though a single component may actually have several licenses, license threat will only show the highest threat. This threat, as we mentioned earlier, is based on four default categories, which correspond to four default license threat groups of the same name.
To access the CIP for a component on the License Analysis tab, simply click on the component row. It will expand providing details in a number of sections. You will likely notice this looks the same as other CIP panels when clicking on other tabs of the Application Composition Report, and you would be correct. There is nothing additional provided by accessing the CIP via the License Analysis tab of the report. However, for this section, we want to focus on the license related information in the Component Info section, as well as the entire Edit Licenses and Audit sections.
Again, the information contained here would be the same, whether or not you clicked on the component in the License Analysis tab. However, this gives us the context to talk about the License related fields in this section.
On the left side of the Component Info section, you should pay attention to three fields, which are described below.
In cases where there is no declared and/or observed licenses, a message will be displayed. There are several options, each with specific meaning:
While the information displayed in the graph includes popularity, and security information, right now, just take a look at License Risk. This will display the license risk based on the application that is selected, and the associated policy and/or license threat groups for that application. Use the application selector to change the application, and corresponding policies the component should be evaluated against.
Editing a license can be used for different purposes. One addresses the workflow of your research into a license related issue, while the other allows you to completely override a license all together. We’ll cover all this below, but first let’s take a look at the information displayed.
After clicking on a component in the list, and then the Licenses section of the CIP, the left side of the CIP displays the license(s) declared by the developer of the component, those that have been observed, and what is considered effective (a combination of the previous two). That is, unless they have been manually overridden or a specific license has been selected.
Next to each of these licenses is a box, displaying the severity of the license. This list can get long, so you may have to scroll to see all the licenses. Then, to the right of the license list, there are four drop down lists.
As we mentioned previously, Status provides a way to track your research, override a license, or select from an option. The available options are included below.
A comment is not required, but is a good element to include whenever you are making changes to the License Status. This is because it provides a way to understand, as well as audit, the decisions made to change a license status. This comment will be included with the record in the Audit Log section of the CIP.
Once you have made all your selections, and entered any necessary comments, click the Update button to save the License Status change.
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia