Open source software comes with various licenses that define how the software can be used, modified, and distributed. Managing license compliance is essential for organizations to avoid legal risks and ensure proper use of open source components.
Policy templates for open source license detection
Endor Labs provides the following policy templates for detecting open source license usage. See Finding policies for details on how to create policies from policy templates.
| Policy template | Description | Severity |
|---|---|---|
| Permit only specified software licenses | Use this template to define an allowed list of software licenses permitted within your organization or a subset of projects. Endor Labs will raise findings when dependencies in packages or projects have licenses that are not on the allowed list. | Medium |
| Restricted software licenses | Use this template to define a blocked list of software licenses that should be restricted from use or only used within specific contexts within your organization. Endor Labs will raise findings when dependencies in packages or projects have licenses that are on the blocked list. | Medium |
| Restricted software license types | Use this template to create an organizational policy to restrict certain license types or limit a license type to specific contexts within an organization. This is useful to identify license risks and violations in third party open source packages. The license type classification in this policy follows the industry best practice rules defined by Google license types. If no license types are specified using the input parameter, only restricted and FORBIDDEN license types are flagged. |
Medium |
License types
Endor Labs classifies licenses according to industry best practices:
- Permissive: Licenses that allow broad use with minimal restrictions (for example, MIT, Apache 2.0)
- Copyleft: Licenses that require derivative works to use the same license (for example, GPL)
- Restricted: Licenses with significant usage restrictions
- Forbidden: Licenses that should not be used in your organization