Summary

A recent analysis of the license objects in the npm ecosystem has resulted in 11 new special licenses to denote license and/or security risk from the developer supplied license text.  This license text is part of the npm package.json license specification.

These licenses have been categorized by Sonatype as defined below and will be recognized in new installations with a classification in the appropriate License Threat Group.  For all existing instances, these new licenses will be downloaded upon a restart of the IQ Server or encountering a scanned component associated with the new licenses.  The licenses should be added to the appropriate License Threat Group as listed below or an appropriate group as recommended by your legal counsel to resolve these policy violations.  

These new licenses represent obligation clauses. I.e., the license text supplied by the user is not a valid license string, but there are words in the npm license object that could denote a legal obligation.

Below is a list of the new licenses and license details.

License Short Name	License Long Name	License Threat Group
Nonsensical-Clause	Nonsensical Clause	Non-Standard
Obligation-Clause	Obligation Clause	Banned
Proprietary-Clause	Proprietary Clause	Banned
Copyright-Clause	Copyright Clause	Banned
Malicious-Content-Clause	Malicious Content Clause	Banned
Identity-Clause	Identity Clause	Non-Standard
Generic-Open-Source-Clause	Generic Open Source Clause	Liberal
Generic-Liberal-Clause	Generic Liberal Clause	Liberal
Generic-Copyleft-Clause	Generic Copyleft Clause	Copyleft
Generic-Weak-Copyleft-Clause	Generic Weak Copyleft Clause	Weak Copyleft
See-License-Clause	See License Clause	Non-Standard

 

Nonsensical-Clause

Description

New License.

License strings which contain nonsensical words and alphanumeric strings. The project author put some text in the license object where license intent can’t be interpreted.

Examples

• --
• ???
• " \\"modules\\","
• "(K)"
• "111111"
• "adhoc"
• "budong"
• "byvoidmodulemawei"

 

Obligation-Clause

Description

New License.

License strings which contain a potential obligation and the license obligation can’t be mapped to a valid known license.

Examples

• "Beer"
• Beer or money

 

Proprietary-Clause

Description

New License.

License strings which contain a restriction of use.

Examples

• "private"
• "Proprietary"
• "Utilisation privée - Réservée à l'auteur"
• Confidential and Proprietary
• For internal use only
• Not for public
• Private Property

 

Copyright-Clause

Description

New License.

License string which denote a copyright or no rights exists and do not provide information to associate to a valid license.

Examples

• "(c) Copyright 2015 corey hadden, all rights reserved"
• "@ystk_yrk & UNITED ARROWS LTD."
• "©"
• "All rights reserved 2018"
• (C) Richard Anderson
• "No license"
• "NonLicensed"

 

Malicious-Content-Clause

Description

New License.

A license string that contains injectable or malicious content.

Examples

• "<%= applicense %>"
• "<script>alert(3)</script>"
• "HGLv2<!--\\" onmouseover=alert(1)"
• "HGLv2<!--\\""
• {"name":"__proto__","url":"javascript:alert(1)//\\"' onmouseover=alert(1)"}
• {"name":{"toLowerCase":"constructor"},"url":"javascript:alert(1)//"' onmouseover=alert(1)"}
• HGLv2<!-- onmouseover=alert(1)"
• Identity-Clause

 

Identity-Clause

Description

New License.

License strings that contain a known entity or identity without other license clauses.

Examples

• "@ystk_yrk & UNITED ARROWS LTD."
• "2ClickSolutions"
• "Concurix"
• "cosmasmallya@rocketmail.com"
• "Hello Kitty"
• "koolearn.com"
• "PayPal"

 

Generic-Open-Source-Clause

Description

New License.

License strings which denote an intent to release as open source without a specific named license.

Examples

• "free"
• free binary
• Free Open Source
• Free-for-all
• open source
• Open Source License
• A business-friendly OSS license

 

Generic-Liberal-Clause

Description

New License.

Strings which denote a liberal license or liberal licenses (licenses in the liberal default LTG) that are obvious misspellings.

Examples

• "apace"
• "BDS-2-Clause"
• "WTFGPL"
• Apach-2.0
• BD-2-Clause""

 

Generic-Copyleft-Clause

Description

New License.

Strings which denote a copyleft license or copyleft license (licenses in the copyleft default LTG) that are obvious misspellings.

Examples

• "copyleft"
• (Distribute Left)
• Copyleft 2015
• copyleft-next-0.3.1
• [{"type":"GNU"}]

 

Generic-Weak-Copyleft-Clause

Description

New License.

Strings which denote a weak copyleft license or weak copyleft licenses (licenses in the weak copyleft default LTG) that are obvious misspellings.

Examples

Currently None

 

See-License-Clause

Description

New License.

Strings which denote a potential license file that was referenced in the license object

Examples

• "./LICENSE"
• "LICESE"
• "See LICENSE file"
• "SEE LICENSE IN LICENSE FOLDER"
• "SEE LICENSE IN meta/CODEF_LICENSE.md"
• Located in license.html
• The Software shall be used for Good, not Evil. (see LICENSE)

  

Commercial

Description

Existing License.

Licenses or License Strings which limit free or commercial use.

Examples

• "Closed-Source"
• "Comercial"
• "commercial open source"
• "http://www.fusioncharts.com/buy/"
• "TeamMentor Commercial License"
• [{"type":"Closed Source"}]
• [{"type":"Commercial","url":"http://www.nimblescript.com/modules/mockupsNode/license.txt"}]
• Closed Source
• Commercial property
• https://www.froala.com/wysiwyg-editor/pricing
• Non Free

 

Not-Provided

Description

Existing License.

Licenses or License Strings which are known licenses but the obligations have not been researched and categorized by the Sonatype research team.

Examples

• "CC BY-NC 4.0"
• "ChengQianLicense"
• "CRAPL"
• "DataTiger Fair Source License"
• "Dojo"
• "GeoNutzV-Berlin"
• "StrongLoop"