Licenses

Metadata associated with licenses within the Threatrix ecosystem.

License Categories

  • UNDEFINED: Unknown or undefined category

  • UNLICENSED: No license could be discovered, but limitations and conditions may still apply to the work. Based on the source of the work, there may be an implied license.

  • PROPRIETARY_FREE: Proprietary Free software may not require a commercial license but may have specific terms and conditions. These terms and conditions may be in the code or clickable downloaded licenses.

  • PUBLIC_DOMAIN: Available to use software without explicit obligations. It has a license notice that must be distributed with the source code as described in the license. The match may be to software, published public domain specifications, or another type of publication.

  • PROPRIETARY: Proprietary source-available software, which has available source code but is not classified as free software or open-source software. In some cases, this software is originally sold and released without the source code, which becomes available later. Source-available software is software released through a source code distribution model that includes arrangements where the source can be viewed, and in some cases modified, but without meeting the criteria to be called open-source.

  • PERMISSIVE: A permissive non-copyleft software license, sometimes called BSD-like or BSD-style license, is a free software license with only minimal restrictions on how the software can be used, modified, and redistributed, usually including a warranty disclaimer.

  • COPYLEFT: Open source software that offers irrevocable permission to the public to copy and redistribute the work in the same or modified form, but with the conditions that all such redistributions make the work available in a form that facilitates further modification and uses the same license terms. A copyleft license can require code interacting with copyleft licensed code to be licensed the same way.

  • COPYLEFT_WEAK: free software licenses that mandate that source code descended from software licensed under them will remain under the same, weak copyleft license. However, one can link to weak copyleft code from code under a different license (including non-open-source code) or incorporate it in a larger software. Otherwise, weak copyleft licenses allow free distribution, use, selling copies of the code or the binaries (as long as the binaries are accompanied by the (unobfuscated) source code), etc. Some free software licenses don’t establish an obligation of licensing derivative work in the same terms as the original work license. But they come with some requirements, such as distribution of the source code or dual licensing.

  • COPYLEFT_LIMITED: A license requiring you to redistribute source code including your changes and provide attribution for the software authors. Your obligation to redistribute source code, including proprietary code linked with code under this license, is limited according to license-specific rules.

  • COPYLEFT_PARTIAL: copyleft partial exempts some parts of the work from the copyleft provisions, thus permitting distribution of some modifications under terms other than the copyleft license, or in some other way does not impose all the principles of copylefting on the work.

  • COPYLEFT_STRONG: Strong copyleft licenses go a step further from weak copyleft licenses and mandate that any distributed software that links or otherwise incorporates such code be licensed under compatible licenses, which are a subset of the available open-source licenses. As a result, these licenses have been called “viral.”

Styles

Origin

  • COMPONENT: License was declared for the component

  • REPOSITORY: The license was discovered within the source repository (Github, Gitlab, etc.)

  • REPOSITORY_META: The license was declared to the repository(Github, Gitlab, etc.)

  • REPOSITORY_LICENSE: The license was declared within the LICENSE file in the source repository

  • ASSET: The license was discovered within an asset in the source repository.

Discovery Type

  • Discovered: The license was found by our ingestors within a source file or metadata file.

  • Declared: The license was declared by the dependency manager or attached to the source or release repository for the component.

Copyrights

All copyrights for discovered licenses are extracted from the license data source (LICENSE file, source code, etc.) and included in the results. Accurate copyrights are required to provide proper attribution for the license. Copyrights can be found within scan results -> Licenses -> License details -> Copyrights tab.

Attribution

Some licenses require the license header and/or copyrights in various, conspicuous locations.

Threatrix embedded open source detection will find any open source that your team has included in your proprietary source code and accurately determine the license for the embedded open source. An example is shown below:

Source attribution can be applied manually, directly from the embedded asset detail screen by selecting the licenses you want to apply attribution to in your source code. Then select "Attribute Licenses."

From the Attribute Licenses dialogue, select an Attribution status and enter an optional comment, which will be included in the attribution notice in your source code.

Attributes

License attributes are a summary of the important permissions, limitations, and conditions of a license. They make it easier for your team to understand the requirements. An example of Apache 2.0 license attributes is shown below. Each attribute provides a full description available by hovering over the questions mark icon to the right of the attribute.

Last updated