Indicators & Methodology: Changes in CAST Highlight’s default open source license risk profile

18 May 2022

Now that CAST Highlight enables users to leverage license rulebooks for automatically building their license risk profiles , the default license risk profile in the product will follow this same model going forward. This change updates the accuracy of the default license risk template that comes out of the box with CAST Highlight to be more aligned with current open source licensing practices while still providing flexibility to fully customize the template for any scenario. As a result, some licenses may experience a change in risk levels which will impact some of the CAST Highlight scores related to open source license risk. However, it is possible to keep the current default license risk profile if desired. This change will be effective as of June 25, 2022. This post describes all of the details.

In CAST Highlight, a license rulebook is a user-friendly summary of a license’s terms that make it easier to understand possible legal implications. In other words, you don’t necessarily have to read the entire license text (although it is available in the license rulebook) to understand what you can, cannot, must do with a component under a specific license.

We recently introduced a new CAST Highlight capability to automatically generate a license risk profile based on license rulebooks “scores” which is described in detail in this article. Each element of the rulebook has a positive or negative impact on the license risk score for a given license. Points are summed up at the license level to determine the level of risk by adjusting thresholds. All licenses are automatically evaluated with this rulebook configuration scoring model.

Going forward the default CAST Highlight license risk template will utilize the same scoring mechanism.

However, it is important to note that this default license risk profile is an out-of-the-box template CAST provides to make CAST Highlight onboarding faster. Your organization may choose to customize this default template or create a new one from scratch (see how in this article). Also, we strongly recommend you consult with a legal expert when seeking legal advice.

What will change in the default license risk profile?

Below is the list of licenses for which the level of risk will change in the default license risk profile CAST provides.

License Name	Current License Risk Level	New License Risk Level	Status
Creative Commons Attribution Non Commercial 2.0 Generic	High Risk	Medium Risk	Changed
Creative Commons Attribution Non Commercial 3.0 Unported	High Risk	Medium Risk	Changed
Creative Commons Attribution Non Commercial 4.0 International	High Risk	Medium Risk	Changed
Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported	High Risk	Medium Risk	Changed
Creative Commons Attribution Non Commercial No Derivatives 4.0 International	High Risk	Medium Risk	Changed
Creative Commons Attribution Non Commercial Share Alike 2.5 Generic	High Risk	Medium Risk	Changed
Creative Commons Attribution Non Commercial Share Alike 3.0 Unported	High Risk	Medium Risk	Changed
Creative Commons Attribution Non Commercial Share Alike 4.0 International	High Risk	Medium Risk	Changed
CeCILL Free Software License Agreement v2.1	High Risk	Medium Risk	Changed
CeCILL-B Free Software License Agreement	High Risk	Low Risk	Changed
European Union Public License 1.1	High Risk	Medium Risk	Changed
European Union Public License 1.2	High Risk	Medium Risk	Changed
Microsoft Reciprocal License	High Risk	Medium Risk	Changed
Reciprocal Public License 1.5	High Risk	Medium Risk	Changed
Ruby License	High Risk	Medium Risk	Changed
Adaptive Public License 1.0	Low Risk	High Risk	Changed
Code Project Open License 1.02	Low Risk	Medium Risk	Changed
Open Data Commons Open Database License v1.0	Low Risk	High Risk	Changed
SNIA Public License 1.1	Low Risk	Medium Risk	Changed
Common Public Attribution License 1.0	Medium Risk	High Risk	Changed
Microsoft Public License	Medium Risk	Low Risk	Changed
OpenSSL License	Medium Risk	Low Risk	Changed
Sleepycat License	Medium Risk	High Risk	Changed
Aladdin Free Public License	–	Medium Risk	New
Apple Public Source License 1.1	–	Medium Risk	New
Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic	–	Medium Risk	New
Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic	–	Medium Risk	New
Creative Commons Attribution Non Commercial Share Alike 1.0 Generic	–	Medium Risk	New
Creative Commons Attribution Non Commercial Share Alike 2.0 Generic	–	Medium Risk	New
Creative Commons Attribution No Derivatives 2.0 Generic	–	Medium Risk	New
Creative Commons Attribution No Derivatives 2.5 Generic	–	Medium Risk	New
Creative Commons Attribution No Derivatives 3.0 Unported	–	Medium Risk	New
Creative Commons Attribution No Derivatives 4.0 International	–	Medium Risk	New
Creative Commons Attribution Share Alike 2.0 Generic	–	Medium Risk	New
Creative Commons Attribution Share Alike 2.5 Generic	–	Medium Risk	New
Creative Commons Attribution Share Alike 3.0 Unported	–	Medium Risk	New
Creative Commons Attribution Share Alike 4.0 International	–	High Risk	New
CeCILL Free Software License Agreement v2.0	–	Medium Risk	New
Deutsche Freie Software Lizenz	–	High Risk	New
Eiffel Forum License v2.0	–	Low Risk	New
Fair License	–	Low Risk	New
Historical Permission Notice and Disclaimer	–	Low Risk	New
JSON License	–	Low Risk	New
Licence Libre du Québec – Permissive version 1.1	–	Medium Risk	New
Licence Libre du Québec – Réciprocité version 1.1	–	Medium Risk	New
Licence Libre du Québec – Réciprocité forte version 1.1	–	High Risk	New
Lucent Public License Version 1.0	–	Low Risk	New
LaTeX Project Public License v1.3c	–	High Risk	New
Noweb License	–	Medium Risk	New
Open Data Commons Public Domain Dedication & License 1.0	–	Low Risk	New
Vim License	–	High Risk	New
X11 License	–	Low Risk	New
Zed License	–	Low Risk	New
Zope Public License 2.1	–	Low Risk	New

Rulebook configuration of CAST’s new default License Risk Profile

The license rulebook configuration that is used for this new license risk profile is a simple configuration where some specific license categories (public domain like, permissive, restrictive, weak copyleft, strong copyleft) are used to contribute to the score (see list below). Other rulebook items will not affect the score. As explained in the article referenced above, you can customize it to fit your needs.

Public Domain Like: +10 points
Permissive: +5 points
Restrictive: -3 points
Strong Copyleft: -10 points
Weak Copyleft: -5 points
Unknown: 0 points

Thresholds of points to determine the risk level of a license are:

High Risk / Red: Less than -5 points
Medium Risk / Yellow: -5 points to 1 point
Low Risk / Green: Greater than 1 point

Note 1: if you prefer to keep the current default license risk profile provided by CAST and don’t want it to be replaced by the new one, you can accomplish this by duplicating it before June 25, 2022. To do so, as a Portfolio Manager, go to MANAGE > Manage License Risk Profile and click on Add License Risk Profile button. Then, check the box as shown below to apply this license risk profile by default to all applications.

Note 2: if you decide to switch to CAST’s new default license risk profile, some of your application OSS Safety and License scores (which are based on license risk levels) will change. These scores will be automatically recalculated as soon as you apply the new License Risk Profile as the default for your portfolio.