A6:2021 | Vulnerable and Outdated Components (9) | Cycubix Docs

License Information Overload

What’s important?

• Can I use this component within the context of distribution of my software?.

• Are there license incompatibilities?.

• If using a modified component, did I addressed additional license obligations?.

License information is scattered everywhere

• Projects declare a license:

  • In a project metadata file.

  • On the project website or source code repository page.

  • Using a link to a license file in their own source code repository.

  • In a license file within the project source tree.

  • In the binary META-INF folder.

• Projects include licenses as headers in the source code.

Summary

• It is difficult to determine the scope of a license.

• A project often has license discrepancies.

• Developers are not lawyers .