License compliance policies

License compliance policies are a group of software quality policies used by the Spectra Assure platform to help you improve the overall software package quality.

These policies are used during software package analysis to check your code and inform you if any of the built-in validation rules are violated. Specifically, license compliance policies focus on preventing exposure to legal risk by ensuring proper use of software licenses in a software project, its components and dependencies.

In the Spectra Assure SAFE report, these policy violations can be found in the License Compliance issue category and cause risk in the SAFE Assessment Licenses category.

Release managers and software publishers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect potential licensing issues in a software package, the affected components are highlighted in the SBOM part of the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.

Policies in this category

License compliance policies cover the following:

• Copyleft licensed components and dependencies
• Restrictive licenses that limit or prohibit use in production, commercial use, software distribution and modification
• Presence of patent-protected code
• Licenses blocked by users or marked to raise a warning in Spectra Assure CLI policy configuration files

Show/hide all policies

• SQ12101 - Detected presence of software components distributed with copyleft licenses.
• SQ12102 - Detected presence of software dependencies distributed with copyleft licenses.
• SQ12103 - Detected presence of statically linked dependencies distributed with weak copyleft licenses.
• SQ12401 - Detected presence of license families that were marked to issue a warning.
• SQ12402 - Detected presence of licenses that were marked to issue a warning.
• SQ12403 - Detected presence of licenses that were explicitly restricted.
• SQ12404 - Detected presence of licenses that place restrictions on commercial use.
• SQ12405 - Detected presence of licenses that place restrictions on software distribution.
• SQ12406 - Detected presence of licenses that place restrictions on use in production.
• SQ12407 - Detected presence of licenses that prohibit software modification.
• SQ12408 - Detected presence of licenses that require a separate use of patents permission.

Security challenges and practices

Software licenses define all conditions and requirements for using, modifying, and distributing the software, and are typically legally binding. The license information is usually included with the software as a textual file.

Generally speaking, software licenses can be permissive or restrictive. Permissive license types (such as MIT, Apache, BSD) usually come with minimal restrictions regarding the modification and distribution of code, which makes them a more popular choice for developers. On the other hand, restrictive (copyleft) licenses like GPL and AGPL require disclosure of the source code at all levels of the software supply chain.

Lack of insight into licenses and other software provenance data puts organizations at risk of legal action and reputation damage. Failure to comply with the requirements of a software license, even if the software is used indirectly, negatively impacts the entire supply chain, including an organization's customers, partners, and integrators.

Recommended for you

• Software license (External resource - Wikipedia)
• OSI Approved licenses (External resource - Open Source Initiative)
• Open-Source License Compliance in Software Supply Chains (External resource - Research article by Riehle, D., & Harutyunyan, N. (2019))