Sonatype CLM Server License Data Update

Overview

On 01/27/2015 Sonatype finished a major upgrade to the data services we provide, resulting in more accurate identification of certain licenses.  There are 23 new license types and changes to some findings.

The first time CLM detects a new license it will refresh the available license list.  If you would like to force the update (after February 3rd) we recommend you download and evaluate component ca.carleton.gcrc:nunaliit2-javascript:2.0.0 from The Central Repository using a test Organization/Application to make the 21 new licenses available to the policy editor.  The Organization/Application can be deleted after the evaluation is complete.

To assist in helping you determine which License Threat Groups to add the new licenses to, we have categorized the new licenses into the following CLM License Threat Groups:  

Liberal

Weak Copyleft

Non Standard

Copyleft

JA-SIG-Collaborative

InitialDevelopersPL-1.0

WebFX Commercial

AGPL-1.0

SMLNJ

InterbasePL-1.0

WebFX Non Commercial

RPL-1.1

Spice-1.1




JSON1

 
Android-SDK3

Amazon2

BigTribe-IP2

BigTribe-IP-NoRedistribution2

JSIP2

OASIS2

QuanticastTOS2

USGovernmentRights2

WS-Addressing-2004032

WS-Addressing-2004082

WS-I2

WernerRandelshofer2

  1. Generally liberal license, but requires that software be used “for Good, not Evil”

  2. Attribution does not include licensing terms.

  3. Android-SDK license added 05/01/2017

What’s changed?

Let’s take a look at just the numbers this change will initiate:

  • A total of 21 new license types will be added and now known to CLM.

  • Well over 12K components with licenses with a higher threat than liberal will be downgraded to Liberal.  These are primarily due to:

    • the previous algorithm marked some dual license as two separate licenses, e.g. CDDL-1.0 or GPL-2.0 with classpath exception

    • some variations in license text caused our previous algorithm to be mislead

  • Approximately 1000 components previously identified with a liberal license, will now have a license with a higher threat.  The majority of these instances are cases where we are now able to discern a Weak Copyleft license (e.g. LGPL) where the previous algorithm was mislead when text from multiple license types appeared in the same file.  

  • There are a total of 73 previously liberal components that will be reclassified as Copyleft.  Some examples are:

    • com.colorfulsoftware:rsspect:1.0.3 – the file rsspect.properties contains a several headers pasted one on top the other ... including GPL-3.0.

    • com.mycila:license-maven-plugin:2.5 – the name implies that it's a license-related plugin for Maven, and it has license template text as part of its source. So this file, com/mycila/maven/plugin/license/templates/GPL-3.txt is accurately being marked as contributing GPL-3.0.

    • javax.sip:jain-sip-ri:* – performance/uas/performance-uac-timer.xml and performance/uas/performance-uac.xml each contain GPL-2.0 license headers.

    • org.docx4j:docx4j:* – org/docx4j/diff/diffx2wml.xslt and 3 other files have GPL-3.0 text.

    • The full list of Maven group ids that are affected:

      • com.colorfulsoftware

      • com.mycila

      • javax.sip

      • me.neavo

      • net.sf.exlp

      • org.apache.any23

      • org.docx4j

      • org.jbpm

      • org.milyn

      • org.openengsb.framework

      • org.sonatype.nexus.plugins

      • org.tinygroup.annotation.0.0.12.tinygroup 
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk