Declared license types to denote license risk

Summary

A recent analysis of the license objects in the npm ecosystem has resulted in 11 new special licenses to denote license and/or security risk from the developer supplied license text.  This license text is part of the npm package.json license specification.

These licenses have been categorized by Sonatype as defined below and will be recognized in new installations with a classification in the appropriate License Threat Group.  For all existing instances, these new licenses will be downloaded upon a restart of the IQ Server or encountering a scanned component associated with the new licenses.  The licenses should be added to the appropriate License Threat Group as listed below or an appropriate group as recommended by your legal counsel to resolve these policy violations.  

These new licenses represent obligation clauses. I.e., the license text supplied by the user is not a valid license string, but there are words in the npm license object that could denote a legal obligation.

Below is a list of the new licenses and license details.

License Short Name

License Long Name

License Threat Group

Nonsensical-Clause

Nonsensical Clause

Non-Standard

Obligation-Clause

Obligation Clause

Banned

Proprietary-Clause

Proprietary Clause

Banned

Copyright-Clause

Copyright Clause

Banned

Malicious-Content-Clause

Malicious Content Clause

Banned

Identity-Clause

Identity Clause

Non-Standard

Generic-Open-Source-Clause

Generic Open Source Clause

Liberal

Generic-Liberal-Clause

Generic Liberal Clause

Liberal

Generic-Copyleft-Clause

Generic Copyleft Clause

Copyleft

Generic-Weak-Copyleft-Clause

Generic Weak Copyleft Clause

Weak Copyleft

See-License-Clause

See License Clause

Non-Standard

 

Nonsensical-Clause

Description

New License.

License strings which contain nonsensical words and alphanumeric strings. The project author put some text in the license object where license intent can’t be interpreted.

Examples

  • --
  • ???
  • " \\"modules\\","
  • "(K)"
  • "111111"
  • "adhoc"
  • "budong"
  • "byvoidmodulemawei"

 

Obligation-Clause

Description

New License.

License strings which contain a potential obligation and the license obligation can’t be mapped to a valid known license.

Examples

  • "Beer"
  • Beer or money

 

Proprietary-Clause

Description

New License.

License strings which contain a restriction of use.

Examples

  • "private"
  • "Properitory"
  • "Utilisation privée - Réservée à l'auteur"
  • Confidential and Proprietary
  • For internal use only
  • Not for pulic
  • Private Property

 

Copyright-Clause

Description

New License.

License string which denote a copyright or no rights exists and do not provide information to associate to a valid license.

Examples

  • "(c) Copyright 2015 corey hadden, all rights reserved"
  • "@ystk_yrk & UNITED ARROWS LTD."
  • "©"
  • "All rights reserved 2018"
  • (C) Richard Anderson
  • "No license"
  • "NonLicensed"

 

Malicious-Content-Clause

Description

New License.

A license string that contains injectible or malicious content.

Examples

  • "<%= applicense %>"
  • "<script>alert(3)</script>"
  • "HGLv2<!--\\" onmouseover=alert(1)"
  • "HGLv2<!--\\""
  • {"name":"__proto__","url":"javascript:alert(1)//\\"' onmouseover=alert(1)"}
  • {"name":{"toLowerCase":"constructor"},"url":"javascript:alert(1)//"' onmouseover=alert(1)"}
  • HGLv2<!-- onmouseover=alert(1)"
  • Identity-Clause

 

Identity-Clause

Description

New License.

License strings that contain a known entity or identity without other license clauses.

Examples

  • "@ystk_yrk & UNITED ARROWS LTD."
  • "2ClickSolutions"
  • "Concurix"
  • "cosmasmallya@rocketmail.com"
  • "Hello Kitty"
  • "koolearn.com"
  • "PayPal"

 

Generic-OpenSource-Clause

Description

New License.

License strings which denote an intent to release as open source without a specific named license.

Examples

  • "free"
  • "NonLicensed"
  • free binary
  • Free Open Source
  • Free-for-all
  • open source
  • Open Source License

 

Generic-Liberal-Clause

Description

New License.

Strings which denote a liberal license or liberal licenses (licenses in the liberal default LTG) that are obvious misspellings.

Examples

  • "apace"
  • "BDS-2-Clause"
  • "WTFGPL"
  • Apach-2.0
  • BD-2-Clause""

 

Generic-Copyleft-Clause

Description

New License.

Strings which denote a copyleft license or copyleft license (licenses in the copyleft default LTG) that are obvious misspellings.

Examples

  • "copyleft"
  • (Distribute Left)
  • Copyleft 2015
  • copyleft-next-0.3.1
  • [{"type":"GNU"}]

 

Generic-Weak-Copyleft-Clause

Description

New License.

Strings which denote a weak copyleft license or weak copyleft licenses (licenses in the weak copyleft default LTG) that are obvious misspellings.

Examples

Currently None

 

See-License-Clause

Description

New License.

Strings which denote a potential license file that was referenced in the license object

Examples

  • "./LICENSE"
  • "LICESE"
  • "See LICENSE file"
  • "SEE LICENSE IN LICENSE FOLDER"
  • "SEE LICENSE IN meta/CODEF_LICENSE.md"
  • Located in license.html
  • The Software shall be used for Good, not Evil. (see LICENSE)

  

Commercial

Description

Existing License.

Licenses or License Strings which limit free or commercial use.

Examples

  • "Closed-Source"
  • "Comercial"
  • "commercial open source"
  • "http://www.fusioncharts.com/buy/"
  • "TeamMentor Commercial License"
  • [{"type":"Closed Source"}]
  • [{"type":"Commercial","url":"http://www.nimblescript.com/modules/mockupsNode/license.txt"}]
  • Closed Source
  • Commercial property
  • https://www.froala.com/wysiwyg-editor/pricing
  • Non Free

 

Not-Provided

Description

Existing License.

Licenses or License Strings which are known licenses but the obligations have not been researched and categorized by the Sonatype research team.

Examples

  • "CC BY-NC 4.0"
  • "ChengQianLicense"
  • "CRAPL"
  • "DataTiger Fair Source License"
  • "Dojo"
  • "GeoNutzV-Berlin"
  • "StrongLoop"

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk