License Policies
License Policies define which licenses are acceptable for use in your organization. They enable automated compliance checking by specifying approval levels for each license.
What is a License Policy?
A License Policy is a set of rules that assigns a compliance level to each license. When you apply a policy to an SBOM, components are automatically evaluated against those rules, and non-compliant licenses are flagged.
Compliance Levels
Each license in a policy can have one of four compliance levels:
| Level | Icon | Meaning | Use Case |
|---|---|---|---|
| Compliant | ✓ (Green) | License is approved for use | Open licenses like MIT, Apache-2.0 |
| Conditional | ⚠ (Orange) | Approved under specific conditions | Licenses requiring attribution or copyleft |
| Non-Compliant | ✗ (Red) | License violates policy | GPL in proprietary software, restrictive licenses |
| Unknown | ? (Gray) | Compliance not yet determined | New or unreviewed licenses |
Viewing License Policies
To access License Policies:
- Navigate to Licenses in the main menu
- Click Policies in the breadcrumb navigation
Policies List
The Policies view shows all available policies:
- Select a policy from the dropdown to view its licenses
- Each policy displays all licenses with their compliance status
- Color-coded icons indicate the compliance level
Creating a License Policy
To create a new policy:
- Click Create New Policy
- Provide:
- Name - Internal identifier (e.g., "enterprise-2024")
- Title - Display name (e.g., "Enterprise Compliance Policy")
- Select a template:
- Blank - Empty policy, add licenses manually
- Full Blank - Includes all licenses set to Unknown
- Copy - Duplicate an existing policy
- If copying, select the source policy
- Click Create
Policy Templates
Blank Template
- Starts with no licenses
- Add only the licenses you need
- Best for: Highly specific policies
Full Blank Template
- Includes all 1700+ licenses
- All set to "Unknown" compliance
- Best for: Comprehensive policies where you'll review each license
Copy Template
- Duplicates an existing policy
- Modify from a known-good baseline
- Best for: Creating variations of existing policies
Editing License Policies
Renaming a Policy
- Select the policy from the dropdown
- Click Edit Policy
- Update the name or title
- Click Save
Managing Licenses in a Policy
Adding a License
- Click Add License
- Select the license from the list
- Choose the compliance level:
- Compliant
- Conditional
- Non-Compliant
- Unknown
- Click Save
TIP
Only licenses not already in the policy will appear in the selection list.
Changing Compliance Level
To change a license's compliance status:
- Find the license in the policy table
- Click the compliance icons to toggle:
- Click green (Compliant)
- Click orange (Conditional)
- Click red (Non-Compliant)
- Click gray (Unknown)
- Changes are saved automatically
Removing a License
- Find the license in the policy table
- Click the trash icon
- Confirm removal
Setting the Default Policy
The default policy is automatically applied to new SBOMs:
- Select the policy you want as default
- Click Make Default
- The policy is now marked as the system default
Default Policy Indicator
The current default policy is highlighted in the policy selector.
Deleting a Policy
To remove a policy:
- Select the policy to delete
- Click Delete Policy
- Confirm deletion
Cannot Delete Active Policies
You cannot delete a policy that is currently assigned to one or more SBOMs. First change those SBOMs to use a different policy.
Using Policies in SBOMs
Applying a Policy to a SBOM
When creating a new SBOM:
- In the SBOM creation wizard, Step 1 - Details
- Select a license policy from the dropdown
- The default policy is pre-selected
- Complete the SBOM creation
Changing an SBOM's Policy
To change the policy on an existing SBOM:
- Open the SBOM
- Click the License Policy panel in the header
- Select a different policy
- Compliance status updates automatically
Impact of Policy Changes
When you change a policy:
- Component compliance status is recalculated
- Dashboard charts update to reflect new compliance
- Non-compliant components are visually highlighted
- KPI metrics are recomputed
Policy-Based Compliance Checking
How Compliance Works
- Each component has one or more assigned licenses
- The SBOM has an applied policy
- Each license is looked up in the policy
- The compliance level determines the component's status:
- All licenses compliant → Component is compliant ✓
- Any license non-compliant → Component is non-compliant ✗
- Mix of compliant and conditional → Component is conditional ⚠
- Any license unknown → Component is unknown ?
Visual Indicators
In the Components Table:
- License badges are color-coded by compliance
- Up to 4 licenses shown (with overflow indicator)
- Rows with non-compliant licenses are highlighted
In the Dashboard:
- "Components by Compliance" chart shows distribution
- Color-coded by compliance level
In Exports:
- Compliance status included in all export formats
- Enables compliance reporting
Pre-Built Policy Examples
SBOM Manager includes reference policies:
GPL v3 Compliance
Designed for GPL-licensed projects:
- GPL family licenses: Compliant
- Permissive licenses (MIT, Apache): Compliant
- Proprietary licenses: Non-Compliant
ASL 3rd Party Compliance
For Apache Software Foundation projects:
- Apache licenses: Compliant
- Permissive licenses: Compliant
- Copyleft licenses: Conditional or Non-Compliant
All Licenses Compliance
Accept-all policy:
- All licenses: Compliant
- Use for: Initial scans, research, or non-production
Best Practices
Creating Effective Policies
- Start with a template - Copy an existing policy as a baseline
- Document your rules - Use clear naming for policies
- Review regularly - Update policies as organizational needs change
- Test before deploying - Apply to a test SBOM before production
Compliance Levels Guidelines
Use "Compliant" for:
- Licenses approved without restrictions
- Internal company licenses
- Public domain and permissive licenses
Use "Conditional" for:
- Licenses requiring specific conditions (e.g., attribution)
- Weak copyleft when conditions are manageable
- Licenses approved for certain use cases only
Use "Non-Compliant" for:
- Licenses explicitly prohibited by your organization
- Incompatible licenses (e.g., GPL in proprietary software)
- Restrictive commercial licenses
Use "Unknown" for:
- New or rare licenses requiring legal review
- Licenses pending approval decision
- Placeholder during policy development
Organizational Policies
For Open Source Projects
- Allow permissive and compatible copyleft licenses
- Reject incompatible licenses
- Example: GPL project should reject Apache-2.0 if incompatible
For Commercial Products
- Allow permissive licenses (MIT, Apache, BSD)
- Conditionally allow weak copyleft (LGPL, MPL)
- Reject strong copyleft (GPL, AGPL)
- Reject unknown or custom licenses
For Internal Tools
- More permissive stance
- Focus on tracking rather than strict compliance
- Educational approach to license awareness
Policy Maintenance
- Version your policies - Include dates or versions in names
- Track changes - Document why compliance levels changed
- Periodic review - Quarterly or annually review and update
- Stakeholder input - Involve legal, engineering, and compliance teams
- Communication - Notify teams when policies change
Integration with Workflows
SBOM Review Workflow
- Create SBOM with default policy applied
- Review Dashboard compliance chart
- Investigate non-compliant components
- Either:
- Remove/replace the component
- Seek exception and change compliance level
- Update component license if incorrect
- Export for compliance record
Continuous Monitoring
- Create new SBOM versions periodically
- Compare compliance between versions (Delta Charts)
- Track new non-compliant components
- Automate alerts for policy violations
Tips
- Multiple policies for different projects - Create separate policies for different product lines
- Gradual refinement - Start permissive, tighten over time
- Exception handling - Document exceptions in component comments
- Export compliance reports - Regular XLSX exports for stakeholders