Documentation Nexus IQ Server 1.16

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

9.2. License Threat Groups

License threat groups, are simply groups of licenses, broken into categories of severity for the various types of licenses. They can help you to achieve your goals related to enforcing the usage of components with licensing that matches the scope of your application.

Their primary purpose is to serve as the data points for the License section of the application composition report. Moreover, they are a way to group risk, associated with licensing. By default, there are four license threat groups included with Sonatype CLM:

Copyleft
Strong copyleft licenses go a step further from weak copyleft licenses and mandate that any distributed software that links or otherwise incorporates such code be licensed under compatible licenses, which are a subset of the available open-source licenses. As a result, these licenses have been called viral.
Non Standard
Something out of the ordinary (e.g. If we ever meet, give me a beer license).
Weak Copyleft
Free software licenses that mandate that source code that descended from software licensed under them, will remain under the same, weak copyleft, license. However, one can link to weak copyleft code from code under a different license (including non-open-source code), or otherwise incorporate it in a larger software. Otherwise, weak copyleft licenses allow free distribution, use , selling copies of the code or the binaries (as long as the binaries are accompanied by the (unobfuscated) source code), etc.
Liberal
These licenses allow you to do almost anything conceivable with the program and its source code, including distributing then, selling them, using the resultant software for any purpose, incorporating into other software, or even converting copies to different licenses, including that of non-free (so-called “proprietary”) software.
[Note]

Consult with your legal department for EXACT definitions. Information provided above is from the following reference.

9.2.1. Creating, Editing, and Deleting a License Threat Group

An important aspect of license threat groups is that each one also has a threat level, just like policy (from zero signifying no threat all the way up to 10). Unless you have specific legal recommendation / council, the default license threat groups will suffice, especially in the beginning.

If you desire, you can edit these default groups, or create entirely new ones. When creating license threat groups, keep in mind that they will be inherited from the organization to all associated applications.

There are two key ways to create a license threat group:

figs/web/clm-server-new-create-ltg.png

Figure 9.5. Using New License Threat Group Button


figs/web/clm-server-global-create.png

Figure 9.6. Using Global Create Button


There is really no difference here, as both require that you have the organization or application open at the time of creation. The one advantage with using the Global Create button is that you can create no matter which tab of the currently selected organization or application you are in, whereas you will need to be on the License tab otherwise.

The following information needs to be completed before a license threat group can be saved.

Name
This is the name for your license threat group. When creating or editing the name of a license threat group, remember to use something that is easily identifiable. If you’re following along with our example in the next section, use Banned Licenses.
Threat Level
This is the level of threat this group of licenses should represent.
Applied and Available Licenses
Adding licenses to the license threat group is not an actual requirement, but there really isn’t much use for simply creating a group as a placeholder. So this is treated as a required field.

On the left are licenses that are included in the license threat group. Click on a license to remove it.

+ On the right are the licenses that can be added the group. Click on a license to add it.

When everything is done your screen should look like Figure 9.4, “Creating a Label Condition” and you can click the Save button to finish.

figs/web/clm-server-license-threat-group-create.png

Figure 9.7. Creating a License Threat Group


Editing
To make changes to a license threat group, click on the Edit icon (shaped like a pencil).
Deleting
To delete a license threat group, just click on the Delete icon (shaped like a trash can) next to the label name.

A few things to remember:

  • A set of four default license threat groups are provided.
  • Applications inherit license threat groups from their organization.
  • An organization’s license threat groups can be seen by any of its applications, the reverse is not true.
  • License threat groups can only be edited (or deleted) at the level they were created.

9.2.2. Creating a Condition Based on a License Threat Group

In the example below a new condition for the license threat group, Banned Licenses, will be added to an new policy.

In our instructions, we’ve made an assumption that you understand how to create a policy.

  1. Create a new policy.
  2. In the Constraints area click on the Expand/Collapse icon (shaped like a right-facing triangle). It’s next to the Constraint Name and should display Unnamed Constraint.
  3. Once the constraint is expanded, click the Constraint Name field and enter Banned License.
  4. Now, in the Conditions area, change Age in the first drop down menu to License Threat Group.
  5. Next, in the second drop down menu choose is for the operator.
  6. Finally, in the third drop down menu, find and select the Banned License label you just created.
  7. Click the Save button to finish.
figs/web/clm-server-license-threat-group-condition-create.png

Figure 9.8. Creating a Condition Evaluating a License Threat Group


9.2.3. Creating a Condition Based on an Unassigned License Threat Group

In most cases, a license is associated with one or more License Threat Groups. However, it is possible for a license to have no association with any License Threat Group. You can create a Policy to detect when a component has a license that is not assigned to any License Threat Group.

In the example below a new condition for detecting components with licenses not assigned to any License Threat Group will be added to a new policy.

In our instructions, we’ve made an assumption that you understand how to create a policy.

  1. Create a new policy.
  2. In the Constraints area click on the Expand/Collapse icon (shaped like a right-facing triangle). It’s next to the Constraint Name and should display Unnamed Constraint.
  3. Once the constraint is expanded, click the Constraint Name field and enter Unassigned LTG.
  4. Now, in the Conditions area, change Age in the first drop down menu to License Threat Group.
  5. Next, in the second drop down menu choose is for the operator.
  6. Finally, in the third drop down menu, find and select [unassigned].
  7. Click the Save button to finish.
figs/web/clm-server-license-threat-group-condition-unassigned.png

Figure 9.9. Creating a Condition Evaluating an unassigned License Threat Group


A violation of the policy above can be remediated simply by assigning the license involved to a License Threat Group.

To remediate a specific component, use the Component Information Panel (CIP) License tab to set the license Status to Selected or Overridden, and then select a license that is associated with at least one License Threat Group. Managing component licenses is discussed further in the editing License Status and Information section of the Application Composition Report chapter.