License Management

CAST SBOM Manager provides comprehensive license management capabilities, allowing you to view, edit, create, and analyze software licenses and their properties.

Understanding Licenses

Licenses define the legal terms under which software can be used, modified, and distributed. SBOM Manager tracks licenses using industry-standard SPDX (Software Package Data Exchange) identifiers.

License Categories

Licenses are classified into categories based on their restrictiveness:

Category	Description	Example Licenses
Public Domain Like	Minimal restrictions, almost no conditions	Unlicense, CC0-1.0
Permissive	Allow commercial use with minimal conditions	MIT, Apache-2.0, BSD-3-Clause
Weak Copyleft	Require sharing changes to the library itself	LGPL-3.0, MPL-2.0
Strong Copyleft	Require sharing entire derived work	GPL-3.0, AGPL-3.0
Restrictive	Most restrictive, may prohibit commercial use	Custom proprietary licenses
Unknown	Unclassified or undefined category	-

Accessing License Management

From the main navigation, click Licenses to access the license management interface.

License List View

The Licenses view displays all available licenses in a searchable, sortable table:

Columns:

SPDX ID - Standard identifier (e.g., "MIT", "Apache-2.0")
Title - Human-readable name
Properties - Icon summary of license permissions and requirements
Actions - Edit or delete license

License Properties

Each license has properties that define what users can do, cannot do, and must do:

Permissions (CAN DO)

Property	Description	Icon
Can Distribute	Distribute to third parties	📤
Can Modify	Modify or combine with other works	✏️
Can Sublicense	Sublicense or extend the license	🔓
Can Sell	Commercial use allowed	💰
Can Patent	Use patent rights from contributors	⚖️
Can Warranty	Add warranty or services	🛡️

Limitations (CANNOT DO)

Property	Description
Cannot Liable	Software owner not liable for damages
Cannot Trademark	No trademark/logo usage
Cannot Sell	Commercial use prohibited
Cannot Warranty	Warranty not allowed
Cannot Sublicense	Sublicensing prohibited

Requirements (MUST DO)

Property	Description
Must Copyright	Retain original copyright notice
Must License	Include full license text
Must Original	Include copy of original software
Must Notice	Include notice file/install instructions
Must Changes	Document all changes made
Must Source	Disclose source code
Must Credit	Give explicit credits to author

Additional Properties

For Software - License applies to software
For Data - License applies to data/copyrighted works
Community Support - Strong community backing
Government Support - Recognized by government/international orgs
OSI Approved - Approved by Open Source Initiative
FSF Approved - Approved by Free Software Foundation

Viewing License Details

To view or edit a license:

Click the SPDX ID or select Edit License from actions
The license details dialog opens with three tabs:

Info Tab

Basic Information:

Title - License display name
Description - Detailed explanation of the license
Category - License classification (see categories above)

Properties Tab

View and modify license properties:

Properties are grouped by type (Permissions, Limitations, Requirements)
Check/uncheck boxes to enable/disable properties
Color coding:
- Green - Permissions (CAN)
- Orange - Conditionals/Requirements (MUST)
- Red - Limitations (CANNOT)

Details Tab

Additional Information:

URL - Link to official license documentation
License Text - Full legal text of the license

Creating a New License

To create a custom license:

Click Create a New License button
Fill in the required information:
- SPDX ID - Unique identifier (e.g., "MyCompany-Proprietary-1.0")
- Title - Display name
- Description - License description
- Category - Select appropriate category
Switch to the Properties tab
Select applicable properties
Optionally add URL and license text in Details tab
Click OK to save

Unique SPDX IDs

Each license must have a unique SPDX ID. If you attempt to create a license with an existing ID, you'll receive an error.

Editing Licenses

You can modify any license in the system:

Open the license for editing
Make your changes across any tab
Click OK to save

Changes to licenses will affect:

How components with that license are displayed
License compliance calculations in SBOMs
Export data

Deleting Licenses

To remove a license:

Select Delete License from the actions menu
Confirm the deletion

Cannot Delete Used Licenses

You cannot delete a license that is currently assigned to components in any SBOM. You must first remove or change the license on all affected components.

Using Licenses in SBOMs

Automatic Detection

When creating a SBOM, licenses are automatically detected from:

CAST SCA database
Package manager files (pom.xml, package.json, etc.)
File headers and copyright notices

Manual Assignment

You can manually assign or change licenses on:

Individual components (via Edit Component)
Individual files (via File Map or file editing)

License Compliance

Licenses are evaluated against your selected License Policy to determine compliance status. See License Policies for details.

License Data Sources

SBOM Manager comes pre-loaded with 1700+ licenses from:

SPDX License List - Industry-standard license database
Custom Licenses - User-defined proprietary licenses

All licenses follow the SPDX specification for consistency and interoperability.

Best Practices

When to Create Custom Licenses

Create custom licenses for:

Proprietary software - Your company's internal license terms
Modified standard licenses - When you've customized a standard license
Dual licensing - Special licensing arrangements

Naming Conventions

When creating custom SPDX IDs:

Use a consistent prefix (e.g., "CompanyName-")
Include version numbers (e.g., "MyCompany-1.0")
Be descriptive but concise
Avoid special characters except hyphens and periods

License Documentation

Always include:

Clear description explaining the license terms
URL to full license documentation
Complete license text in the Details tab
Accurate properties so compliance is correctly assessed

Regular Review

Periodically review custom licenses for accuracy
Update properties if license terms change
Remove obsolete licenses no longer in use

Integration with Components

Licenses are tightly integrated with component management:

Component View - Shows all licenses assigned to each component
Edit Component - Modify component licenses
License Filtering - Filter components by license
Compliance Highlighting - Visual indicators for license policy violations

Exporting License Information

License data is included in SBOM exports:

Excel/DOCX - License names and compliance status
CycloneDX - Full license SPDX IDs and metadata

This ensures license information travels with your SBOM for compliance reporting.

License Management ​

Understanding Licenses ​

License Categories ​

Accessing License Management ​

License List View ​

License Properties ​

Permissions (CAN DO) ​

Limitations (CANNOT DO) ​

Requirements (MUST DO) ​

Additional Properties ​

Viewing License Details ​

Info Tab ​

Properties Tab ​

Details Tab ​

Creating a New License ​

Editing Licenses ​

Deleting Licenses ​

Using Licenses in SBOMs ​

Automatic Detection ​

Manual Assignment ​

License Compliance ​

License Data Sources ​

Best Practices ​

When to Create Custom Licenses ​

Naming Conventions ​

License Documentation ​

Regular Review ​

Integration with Components ​

Exporting License Information ​