Skip to content

Licence compliance

AlertaVuln captures the declared licence of every dependency it tracks, classifies it against SPDX - including compound OR / AND expressions - and turns the copyleft risk into a REDYELLOWGREEN policy signal.

The tech stack page with a licence badge on each package, showing the captured SPDX licence per dependency

Each package on the tech stack carries its captured licence as a badge. Demo data.

Licences are captured from two directions:

  • Registry metadata - the package-health checks record the declared licence for npm, PyPI, NuGet, crates.io, RubyGems and Composer packages as part of tracking your tech stack.
  • The scanned tree - during av sast scan, a dedicated licence scanner runs as its own step in the series and picks up LICENSE files and vendored or loose licences that registry metadata misses. Its findings appear in the License category on the Code Scan page.

The classifier accepts a bare SPDX id (MIT), a full SPDX expression ((MIT OR Apache-2.0), GPL-2.0-only AND BSD-3-Clause, GPL-2.0-or-later WITH Classpath-exception-2.0), or the free text some registries emit. Compound expressions follow the legal reading:

  • OR - dual licensing lets you elect a branch, so the expression resolves to the least restrictive branch.
  • AND - every obligation stacks, so the expression resolves to the most restrictive branch.
  • WITH - an exception binds to its base id; classification uses the base id.

Version-scope suffixes reduce to the same family: GPL-3.0-only, GPL-3.0-or-later and GPL-3.0+ all classify as GPL.

Every licence resolves to one of five classes, ordered by how much obligation it imposes on a downstream distributor. That order is also the restrictiveness rank used to resolve OR / AND expressions.

Class Typical ids Signal
Unknown no licence reported, or an unrecognised id YELLOW
Permissive MIT, BSD-2-Clause, BSD-3-Clause, Apache-2.0, ISC, Zlib, CC0-1.0 GREEN
Weak copyleft LGPL-*, MPL-*, EPL-*, CDDL-*, EUPL-*, OSL-* YELLOW
Proprietary UNLICENSED (npm), commercial / closed YELLOW
Strong copyleft GPL-*, AGPL-*, SSPL-* RED

Strong copyleft is the headline distribution risk; weak copyleft, proprietary and unknown licences all warrant a human look; permissive is clear.

REDAGPL-3.0 - strong copyleft: whole-work (and network) obligations apply downstream.

The CycloneDX SBOM AlertaVuln exports carries each component’s captured licence in licenses[]:

  • a compound SPDX expression (contains OR / AND) is emitted as licenses[].expression, verbatim;
  • a single token recognised as an SPDX id becomes license.id;
  • any other free text falls back to license.name.