Classifying licenses and resolving component licenses in the Software Bill of Materials workspace

  • Release version: Xanadu
  • Updated October 25, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Classifying licenses and resolving component licenses in the Software Bill of Materials workspace

    The Software Bill of Materials (SBOM) workspace allows organizations to classify licenses and resolve them to software components. This process ensures compliance with licensing requirements for proprietary, open-source, and vendor-supplied software, helping to mitigate risks associated with software dependencies and licensing violations.

    Show full answer Show less

    Key Features

    • License Administration Module: Classify licenses for components uploaded via SBOM files and resolve these licenses to specific components.
    • Data Visualization: View overall license compliance on the Home page, including the percentage of components out of compliance.
    • License Classification Categories: Licenses can be categorized as Permitted, Restricted, Banned, or Unclassified.
    • Upload Tracking: Automatic growth of the license database with each SBOM upload that includes license information.

    Key Outcomes

    By effectively classifying and resolving licenses, organizations can:

    • Maintain adherence to licensing agreements, reducing the risk of legal and compliance issues.
    • Build a comprehensive inventory of licenses for better management and oversight.
    • Enable relevant personnel, such as legal and compliance managers, to efficiently perform their tasks using appropriate roles within the SBOM workspace.

    Regular checks on unclassified licenses and updates to classified licenses are recommended to ensure ongoing compliance management.

    Classify licenses and resolve (match) them to components, or create licenses in the License administration module in the SBOM workspace. Classifying and matching licenses to your components permits you determine your license compliance for the proprietary, open-source, and vendor-supplied software components you upload in your SBOM files.

    License data and third-party software

    As organizations build more of their own software applications, they are using open-source components and vendor-supplied software. Using third-party and open-source components provide you with many advantages for the rapid creation and release of your software projects, however, using these components comes with licensing risks:

    • Open-source and vendor-supplied software components at times have dependencies on other components, and each component might have its own licensing requirements.
    • If you’re not compliant with the terms of your licenses for the components and software in your applications, you might inadvertently ship code that violates your internal policies and regulatory licensing requirements.

    The License administration module

    The License administration module in the SBOM Workspace permits you to perform the following tasks.
    • Classify licenses that require it for the components you upload with your SBOM files.
    • Resolve each license you classify to a specific component.
    • See what percentage of the components you are using are out of compliance on a data visualization on the Home page. You can use this information to help you determine your overall security posture and potential risk exposure.
    If the SBOM files you upload include license information, the license database grows automatically as unique licenses are observed on each SBOM upload. With each SBOM upload, you can build a database of uploaded licenses and then classify them if necessary with the License administration module in the SBOM Workspace. You build an inventory of licenses so that you can assign them to components after you classify them in one of the following categories:
    • Permitted
    • Restricted
    • Banned
    • Unclassified

    Legal personnel, license managers, compliance, and regulatory managers perform tasks in the License administration module.

    Viewing uploaded license data

    You have the following options to view any license information you've uploaded with your components in the SBOM Workspace.
    • Navigate to Workspaces > SBOM Workspace > Components.
      On the Components page the License classification of components card displays a visualization of your overall license compliance with the following categories.
      Category Description
      Banned Licensed usage is not permitted.
      Classification required License is not yet classified and requires a review.
      Permitted Licensed usage is permitted without restriction.
      Restricted Licensed usage is not permitted in specific use cases.

      This snapshot uses the classifications and resolved license information you enter in the License administration module to calculate your over-all license compliance.

      If you select a component record from this list, you can view the component's license information along with other information in the State field.

    • Alternatively, navigate to Workspaces > SBOM Workspace > License administration > License classification.
      This page tracks the total number of unique licenses that have been detected from the SBOM files you’ve uploaded. It also filters them in cards along the top of the page in the following categories.
      • Unclassified - License requires review and classification.
      • Banned - License usage is not permitted.
      • Restricted - License is not permitted in specific use cases.
      • Permitted - License usage is permitted without restriction.
      • All licenses - Total count of licenses.
      All the components in your organization are using one of the licenses that is listed on this page. When a new license is detected from an SBOM upload, a record is created and stored in the SBOM license [sn_sbom_license] table and added to this list. It’s classification by default is, Classification Required. License records in this state must be reviewed and classified before you can resolve (match) them to components so your overall license compliance is accurately calculated.

      For information on how to classify licenses, see Classify imported licenses in the Software Bill of Materials Workspace.

    Roles

    New licenses must be classified by a user with the sn_sbom_response.managelicense role. This user views uploaded license information and determines which licenses are permitted and which are banned. Users with this role cannot view the Component license resolution module unless they have the sn_sbom_response.licenseresolver role.

    After classification, licenses must be resolved by a user with the sn_sbom_response.licenseresolver role so that your over-all license compliance can be determined. This user resolves licenses to components. Users with this role cannot view the License Classification module unless they have the sn_sbom_response.managelicense role.

    Classifying new license information is an ongoing process. You might prefer to keep the total number displayed on the Unclassified card low. As a license manager, you might prefer to check for licenses that need classification every few days and after you upload SBOM files.

    As a license resolver, you might prefer to check for updated classified licenses every few days.