Feature Focus: Component License Compatibility

When dealing with Open Source license compatibility, verifying legal term compatibility between third-party components and their respective dependencies could turn into a never-ending nightmare when done manually, increasing the legal risk of a license conflict. CAST Highlight allows users to define license compatibility rules between licenses and automatically detect and report possible license conflicts in the Bill of Materials. This article explains how this feature works.

Why checking compatibility between component and dependency licenses matters?

According to Wikipedia, “license compatibility is a legal framework that allows for pieces of software with different software licenses to be distributed together. The need for such a framework arises because the different licenses can contain contradictory requirements, rendering it impossible to legally combine source code from separately-licensed software in order to create and publish a new program.”

In other words, when organizations are building software applications using third-party Open Source components, they must ensure that these components are “working well” with the software components they use themselves (dependencies), from a legal standpoint. Are there conflicting clauses in different component licenses? Are license terms and obligations contradictory? This legal aspect of OSS components should be checked for specific application contexts (e.g., distributed/commercial software).

Most popular Open Source licenses publicly communicate on their compatibility with other licenses with some explanations, such as the Free Software Foundation on its GPL (General Public License) versions.

Example with Apache license, version 1.1: “This is a permissive non-copyleft free software license. It has a few requirements that render it incompatible with the GNU GPL, such as strong prohibitions on the use of Apache-related names.”

9361

How to define a license compatibility rule in CAST Highlight?

Root-level portfolio managers can manage the license compatibility model of the portfolio by clicking on “Manage License Profiles” from the “MANAGE PORTFOLIO” menu. From here, create or edit an existing License Risk Profile and go to the “Incompatibility Configuration” tab. The list of all supported licenses is displayed.

9362
For each license in this list, you can add an incompatible license by selecting it from the drop-down list. Once selected, you can detail what makes these licenses incompatible by typing a few sentences that will appear in BOM exports.

To save your edits on the license incompatibility configuration, click on the “Save” button at the bottom of the page.

Note that each license risk template can have its own license incompatibility configuration.

How possible license incompatibilities are reflected in CAST Highlight’s reporting

Once the license incompatibility configuration is saved, CAST Highlight automatically checks this information on application components and their respective dependencies. You can access it from various places of the product:

9363

From the dashboards

At the application level, under the Software Composition tab, you can verify a specific component for possible license conflicts by clicking on the magnifying glass icon. A modal opens and lists all dependencies of this component with dependency type, version, possible vulnerabilities, license(s) as well as possible license conflicts between each dependency and the clicked component license. A possible license conflict is indicated by a ‘Yes’ in the ‘Possible License Conflict’ column.

9364

From the Word BOM export

The Word BOM export has a dedicated section that lists possible license compatibility issues. The table shows the component with its license, its dependency and its license, as well as the reason for the possible license conflicts (which was entered when creating the license incompatibility configuration described above).

9365

From the Excel BOM export

When the Excel BOM report is generated with the option “Include component dependencies” turned on, it automatically creates a tab in the document that lists all resolvable dependencies of detected components of an application. Possible license conflicts are listed in a dedicated column of the report.