Supported software licenses
In the context of Spectra Assure, license coverage can refer to two things:
Licenses that Spectra Assure products can detect in your software when analyzing it. Only the licenses listed on Supported licenses pages can be detected.
Licenses that you can specify for your software when uploading it to the Spectra Assure Portal. All license types from the SPDX License List can be used.
During analysis, Spectra Assure extracts metadata about software components and displays it as human-readable, actionable information in the reports. Among many other details, Spectra Assure analysis reports include license information for software components and open-source or third-party dependencies.
The license information helps you understand the conditions under which your own and third-party code can be modified and distributed. It also helps you recognize and prevent potential compliance risks in your software projects.
This reference documentation provides an overview of all software licenses that Spectra Assure can automatically detect and identify while analyzing your software.
License familiesโ
In this documentation and in Spectra Assure products, supported licenses are categorized into license families that impose a similar set of restrictions on software development, distribution, and usage.
Every individual license belongs to one of the following license families, ordered from most to least permissive (top to bottom):
Each of these license family pages contains a table with supported individual licenses.
The tables cover the following information about software licenses:
- License name - the software license name as detected by Spectra Assure and displayed in analysis reports. Corresponds to the standardized SPDX short-form identifier.
- License contents - link to the official SPDX website with the full text of the software license. Special, customized licenses that contain
LicenseRef-rlsecurein the name do not have entries on the SPDX website. You can view a generic description for such licenses on each license family page. - License family - the license family that the individual software license belongs to based on its characteristics. Corresponds to one of the predefined license families.
- Policies triggered - indicates the default policy configuration setting for the license. Some licenses are configured to always trigger a policy and raise an issue in the SAFE report. All licenses in the Weak Copyleft family always trigger the SQ12103 policy for dependencies. All licenses in the Copyleft family always trigger the SQ12101 policy for software components. If this field is empty, that means no policies are triggered by default for the license. However, users can customize the policy configuration at any time to override the default settings.
If a license is not listed as supported, that means Spectra Assure is not able to automatically detect it.
Where to find the license informationโ
Software licenses are usually distributed as text files alongside the source code or the compiled software package. If Spectra Assure detects a valid license, it displays the information about it in analysis reports.
You can find the license information in:
the SAFE report produced with the CLI or directly in the Portal interface. The Bill of Materials section of the report displays the detected license for each software component and dependency. If there are any risks associated with software licenses, the Summary > SAFE Assessment Evaluations section will highlight them and lead you to the specific issues that cause the risks. Software components and dependencies with unsupported or unrecognized software licenses have an empty License field in the SAFE report.
the rl-json report produced with the CLI or exported from the Portal with the API. Look for the
report.metadata.licensesobject in therl-jsonreport to view the licenses found in the analyzed software package. Additionally, thereport.metadata.assessments.licensesobject will show the details about license compliance risks if any are detected in the software package.the CLI output of rl-secure list and rl-secure inspect commands.
Default policy configuration for licensesโ
The presence of some licenses in a software package may be reported as a policy violation (issue) that causes license compliance risks. In the default Spectra Assure policy configuration, some types of licenses are always configured to raise an issue.
Specifically:
- all licenses in the Copyleft family always trigger the SQ12101 policy when the license is detected in a software component
- all licenses in the Weak Copyleft family always trigger the SQ12103 policy when the license is detected in a dependency
The license family pages in this reference documentation indicate which policies are triggered by default for each license in the Policies triggered column.
Spectra Assure CLI users can modify the default policy configuration to add their own license checks and restrictions for individual licenses by name, or for entire license families.
In the Spectra Assure Portal, the policy configuration only allows enabling or disabling individual license-related policies.
How to use this documentationโ
You can use the reference pages for license families to:
Check which licenses belong to a particular license family. This is useful when you want to restrict entire families in your CLI policy configuration.
Look up a particular license by name to learn more about it. This is useful when a license you're unfamiliar with is detected by Spectra Assure in your software packages. You can then view its full text and which policies it triggers by default (if any).
Copy the exact license name to use in your CLI policy configuration. This is useful when you want to set specific policy controls for one or more individual licenses, but not for an entire license family.