Licence compliance
AlertaVuln captures the declared licence of every dependency it tracks,
classifies it against SPDX - including compound OR / AND expressions -
and turns the copyleft risk into a
REDYELLOWGREEN policy signal.

Each package on the tech stack carries its captured licence as a badge. Demo data.
Where licence data comes from
Section titled “Where licence data comes from”Licences are captured from two directions:
- Registry metadata - the package-health checks record the declared licence for npm, PyPI, NuGet, crates.io, RubyGems and Composer packages as part of tracking your tech stack.
- The scanned tree - during
av sast scan, a dedicated licence scanner runs as its own step in the series and picks upLICENSEfiles and vendored or loose licences that registry metadata misses. Its findings appear in the License category on the Code Scan page.
SPDX classification
Section titled “SPDX classification”The classifier accepts a bare SPDX id (MIT), a full SPDX expression
((MIT OR Apache-2.0), GPL-2.0-only AND BSD-3-Clause,
GPL-2.0-or-later WITH Classpath-exception-2.0), or the free text some
registries emit. Compound expressions follow the legal reading:
- OR - dual licensing lets you elect a branch, so the expression resolves to the least restrictive branch.
- AND - every obligation stacks, so the expression resolves to the most restrictive branch.
- WITH - an exception binds to its base id; classification uses the base id.
Version-scope suffixes reduce to the same family: GPL-3.0-only,
GPL-3.0-or-later and GPL-3.0+ all classify as GPL.
Policy classes and the RYG signal
Section titled “Policy classes and the RYG signal”Every licence resolves to one of five classes, ordered by how much obligation
it imposes on a downstream distributor. That order is also the
restrictiveness rank used to resolve OR / AND expressions.
| Class | Typical ids | Signal |
|---|---|---|
| Unknown | no licence reported, or an unrecognised id | YELLOW |
| Permissive | MIT, BSD-2-Clause, BSD-3-Clause, Apache-2.0, ISC, Zlib, CC0-1.0 |
GREEN |
| Weak copyleft | LGPL-*, MPL-*, EPL-*, CDDL-*, EUPL-*, OSL-* |
YELLOW |
| Proprietary | UNLICENSED (npm), commercial / closed |
YELLOW |
| Strong copyleft | GPL-*, AGPL-*, SSPL-* |
RED |
Strong copyleft is the headline distribution risk; weak copyleft, proprietary and unknown licences all warrant a human look; permissive is clear.
SBOM enrichment
Section titled “SBOM enrichment”The CycloneDX SBOM AlertaVuln exports carries each component’s captured
licence in licenses[]:
- a compound SPDX expression (contains
OR/AND) is emitted aslicenses[].expression, verbatim; - a single token recognised as an SPDX id becomes
license.id; - any other free text falls back to
license.name.
See also
Section titled “See also”- Code scanning (SAST) - the scan series that includes the licence scanner
av sast scan- run a local scan- Overview - everything AlertaVuln watches on your behalf