License compliance policies
License compliance policies are a group of software quality policies used by the Spectra Assure platform to help you improve the overall software package quality.
These policies are triggered during software package analysis to check your code and inform you if any of the built-in validation rules are violated. Specifically, license compliance policies focus on preventing exposure to legal risk by ensuring proper use of software licenses in a software project, its components and dependencies.
In Spectra Assure analysis reports, these policy violations are listed in the License Compliance category.
The priority and severity of each issue influences the overall Licenses ReversingLabs assessment status for the software package.
Release managers and software publishers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect potential licensing issues in a software package, the affected components are highlighted in the SBOM part of the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.
Security challenges and practicesโ
Software licenses define all conditions and requirements for using, modifying, and distributing the software, and are typically legally binding. The license information is usually included with the software as a textual file.
Generally speaking, software licenses can be permissive or protective. Permissive license types (such as MIT, Apache, BSD) usually come with minimal restrictions regarding the modification and distribution of code, which makes them a more popular choice for developers. On the other hand, protective (copyleft) licenses like GPL and AGPL require disclosure of the source code at all levels of the software supply chain.
Lack of insight into licenses and other software provenance data puts organizations at risk of legal action and reputation damage. Failure to comply with the requirements of a software license, even if the software is used indirectly, negatively impacts the entire supply chain, including an organization's customers, partners, and integrators.
Policies in this categoryโ
License compliance policies cover the following:
- Copyleft licensed components
Show/hide all policies
Recommended for youโ
- Software license (External resource - Wikipedia)
- OSI Approved licenses (External resource - Open Source Initiative)
- Open-Source License Compliance in Software Supply Chains (External resource - Research article by Riehle, D., & Harutyunyan, N. (2019))