Documentation Nexus IQ Server 1.30

10.2. License Threat Groups

License threat groups, are simply groups of licenses, broken into categories of severity for the various types of licenses. They can help you to achieve your goals related to enforcing the usage of components with licensing that matches the scope of your application.

Their primary purpose is to serve as the data points for the License section of the Application Composition Report. Moreover, they are a way to group risk, associated with licensing.

[Tip]

You can customize a policy to use a license threat group (or an unassigned license threat group) as a condition when IQ Server evaluates applications. For more information about policies and creating conditions, see the Basic Policy Management chapter.

10.2.1. Viewing a License Threat Group

To view a License Threat Group:

  1. Click the Organization & Policies icon figs/web/clm-server-manage-app-org-icon.png on the IQ Server toolbar.
  2. Select an organization in the sidebar. A page of customizable settings is displayed.
  3. Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section. The list of License Threat Groups is organized by where the groups are defined: Local for the currently selected organization or Inherited From for an organization higher in the system hierarchy.
figs/web/clm-server-ltg-section.png

Figure 10.4. Viewing License Threat Groups


The following license threat groups are included by default for the root organization.

Banned
Any licenses that should not be permitted in any circumstances. This license threat group contains the AGPL licenses by default.
Copyleft
Strong copyleft licenses go a step further from weak copyleft licenses and mandate that any distributed software that links or otherwise incorporates such code be licensed under compatible licenses, which are a subset of the available open-source licenses. As a result, these licenses have been called viral.
Liberal
These licenses allow you to do almost anything conceivable with the program and its source code, including distributing then, selling them, using the resultant software for any purpose, incorporating into other software, or even converting copies to different licenses, including that of non-free (so-called “proprietary”) software.
Non Standard
Something out of the ordinary (e.g. If we ever meet, give me a beer license).
Sonatype Special Licenses
A license threat group for identifying situations where Sonatype has been unable to determine the license of a component.
Weak Copyleft
Free software licenses that mandate that source code that descended from software licensed under them, will remain under the same, weak copyleft, license. However, one can link to weak copyleft code from code under a different license (including non-open-source code), or otherwise incorporate it in a larger software. Otherwise, weak copyleft licenses allow free distribution, use , selling copies of the code or the binaries (as long as the binaries are accompanied by the (unobfuscated) source code), etc.
[Note]

Consult with your legal department for EXACT definitions. Information provided above is from the following reference.

10.2.2. Creating a License Threat Group

An important aspect of license threat groups is that each one also has a threat level, just like policy (from zero signifying no threat all the way up to 10). Unless you have specific legal recommendation / council, the default license threat groups will suffice, especially in the beginning.

If you desire, you can edit these default groups, or create entirely new ones. When creating license threat groups, keep in mind that they will be inherited from the organization to all associated applications.

To create a license threat group:

  1. Click the Organization & Policies icon figs/web/clm-server-manage-app-org-icon.png on the IQ Server toolbar.
  2. In the sidebar, select an organization.
  3. Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
  4. Click the Add a Threat Group button.
  5. In the New License Threat Group editor, set the following attributes:

    1. License Threat Group Name - Enter a name for the license threat group that is easily identifiable.
    2. Threat Level - Select a number for the threat level that this group of licenses represents.
    3. Included Licenses - Type a string of characters in the filter box or scroll the Available list to locate desired licenses by name.

      1. In the Available column on the left, select a license in the list, then click the right arrow button to move the license to the Included column on the right.
      2. If you accidentally add a wrong license, select the license in the Included column, then click the left arrow to return it to the Available column.
  6. Click Create.

    figs/web/clm-server-license-threat-group-create.png

    Figure 10.5. Creating a License Threat Group


[Note]

As of IQ Server 1.20, license threat groups are no longer created at the application level. If you previously had license threat groups in your applications, you can still edit them, but we encourage you to migrate those license threat groups up to the organization.

10.2.3. Editing a License Threat Group

To edit a license threat group:

  1. Click the Organization & Policies icon figs/web/clm-server-manage-app-org-icon.png on the IQ Server toolbar.
  2. In the sidebar, select the organization (or application, if created prior to IQ Server 1.20) in which a license threat group was created.
  3. Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
  4. In the list of License Threat Groups, click the one you want to edit (it has a chevron in its row to indicate it’s editable).
  5. In the License Threat Group editor, you can set the following attributes:

    1. License Threat Group Name - Enter a different name for the license threat group that is easily identifiable.
    2. Threat Level - Select a number for the threat level that this group of licenses represents.
    3. Included Licenses - Type a string of characters in the filter box or scroll the columns of licenses to locate desired licenses by name.

      1. To add a license, select the license in the Available column on the left, then click the right arrow button to move the license to the Included column on the right.
      2. To remove a license, select the license in the Included column, then click the left arrow to return it to the Available column.
  6. Click Update.
figs/web/clm-server-license-threat-group-edit.png

Figure 10.6. Editing a License Threat Group


10.2.4. Deleting a License Threat Group

To delete a license threat group:

  1. Click the Organization & Policies icon figs/web/clm-server-manage-app-org-icon.png on the IQ Server toolbar.
  2. In the sidebar, select the organization in which a license threat group was created.
  3. Click License Threat Groups in the menu bar at the top of the page to scroll to the License Threat Groups section.
  4. In the list of License Threat Groups, click the one you want to delete (it has a chevron in its row to indicate it’s editable).
  5. In the License Threat Group editor, click the Delete License Threat Group button. A warning message is displayed.
  6. Click Continue to permanently remove the License Threat Group or Cancel to keep it.