A6:2021 | Vulnerable and Outdated Components (9) | Cycubix Docs

License Information Overload

What’s important?

  • Can I use this component within the context of distribution of my software?.

  • Are there license incompatibilities?.

  • If using a modified component, did I addressed additional license obligations?.

License information is scattered everywhere

  • Projects declare a license:

    • In a project metadata file.

    • On the project website or source code repository page.

    • Using a link to a license file in their own source code repository.

    • In a license file within the project source tree.

    • In the binary META-INF folder.

  • Projects include licenses as headers in the source code.


  • It is difficult to determine the scope of a license.

  • A project often has license discrepancies.

  • Developers are not lawyers .

Last updated