.
Summary
A recent analysis of the license objects in the npm ecosystem has resulted in 11 new special licenses to denote license and/or security risk from the developer supplied license text. This license text is part of the npm package.json license specification.
These licenses have been categorized by Sonatype as defined below, and will be recognized in new installations with a classification in the appropriate License Threat Group. For all existing instances, these new licenses will be downloaded upon a restart of Sonatype IQ Server or encountering a scanned component associated with the new licenses. The licenses should be added to the appropriate License Threat Group as listed below or an appropriate group as recommended by your legal counsel to resolve these policy violations.
These new licenses represent obligation clauses. i.e., the license text supplied by the user is not a valid license string, but there are words in the npm license object that could denote a legal obligation.
Below is a list of the new licenses and license details.
License Short Name |
License Long Name |
License Threat Group |
Nonsensical-Clause |
Nonsensical Clause |
Non-Standard |
Obligation-Clause |
Obligation Clause |
Banned |
Proprietary-Clause |
Proprietary Clause |
Banned |
Copyright-Clause |
Copyright Clause |
Banned |
Malicious-Content-Clause |
Malicious Content Clause |
Banned |
Identity-Clause |
Identity Clause |
Non-Standard |
Generic-Open-Source-Clause |
Generic Open Source Clause |
Liberal |
Generic-Liberal-Clause |
Generic Liberal Clause |
Liberal |
Generic-Copyleft-Clause |
Generic Copyleft Clause |
Copyleft |
Generic-Weak-Copyleft-Clause |
Generic Weak Copyleft Clause |
Weak Copyleft |
See-License-Clause |
See License Clause |
Non-Standard |
Nonsensical-Clause
Description
New License.
License strings which contain nonsensical words and alphanumeric strings. The project author put some text in the license object where license intent can’t be interpreted.
Examples
- --
- ???
- " \\"modules\\","
- "(K)"
- "111111"
- "adhoc"
- "budong"
- "byvoidmodulemawei"
Obligation-Clause
Description
New License.
License strings which contain a potential obligation and the license obligation can’t be mapped to a valid known license.
Examples
- "Beer"
- Beer or money
Proprietary-Clause
Description
New License.
License strings which contain a restriction of use.
Examples
- "private"
- "Proprietary"
- "Utilisation privée - Réservée à l'auteur"
- Confidential and Proprietary
- For internal use only
- Not for public
- Private Property
Copyright-Clause
Description
New License.
License string which denote a copyright or no rights exists and do not provide information to associate to a valid license.
Examples
- "(c) Copyright 2015 corey hadden, all rights reserved"
- "@ystk_yrk & UNITED ARROWS LTD."
- "©"
- "All rights reserved 2018"
- (C) Richard Anderson
- "No license"
- "NonLicensed"
Malicious-Content-Clause
Description
New License.
A license string that contains injectable or malicious content.
Examples
- "<%= applicense %>"
- "<script>alert(3)</script>"
- "HGLv2<!--\\" onmouseover=alert(1)"
- "HGLv2<!--\\""
- {"name":"__proto__","url":"javascript:alert(1)//\\"' onmouseover=alert(1)"}
- {"name":{"toLowerCase":"constructor"},"url":"javascript:alert(1)//"' onmouseover=alert(1)"}
- HGLv2<!-- onmouseover=alert(1)"
- Identity-Clause
Identity-Clause
Description
New License.
License strings that contain a known entity or identity without other license clauses.
Examples
- "@ystk_yrk & UNITED ARROWS LTD."
- "2ClickSolutions"
- "Concurix"
- "cosmasmallya@rocketmail.com"
- "Hello Kitty"
- "koolearn.com"
- "PayPal"
Generic-Open-Source-Clause
Description
New License.
License strings which denote an intent to release as open source without a specific named license.
Examples
- "free"
- free binary
- Free Open Source
- Free-for-all
- open source
- Open Source License
- A business-friendly OSS license
Generic-Liberal-Clause
Description
New License.
Strings which denote a liberal license or liberal licenses (licenses in the liberal default LTG) that are obvious misspellings.
Examples
- "apace"
- "BDS-2-Clause"
- "WTFGPL"
- Apach-2.0
- BD-2-Clause""
Generic-Copyleft-Clause
Description
New License.
Strings which denote a copyleft license or copyleft license (licenses in the copyleft default LTG) that are obvious misspellings.
Examples
- "copyleft"
- (Distribute Left)
- Copyleft 2015
- copyleft-next-0.3.1
- [{"type":"GNU"}]
Generic-Weak-Copyleft-Clause
Description
New License.
Strings which denote a weak copyleft license or weak copyleft licenses (licenses in the weak copyleft default LTG) that are obvious misspellings.
Examples
Currently None
See-License-Clause
Description
New License.
Strings which denote a potential license file that was referenced in the license object
Examples
- "./LICENSE"
- "LICESE"
- "See LICENSE file"
- "SEE LICENSE IN LICENSE FOLDER"
- "SEE LICENSE IN meta/CODEF_LICENSE.md"
- Located in license.html
- The Software shall be used for Good, not Evil. (see LICENSE)
Commercial
Description
Existing License.
Licenses or License Strings which limit free or commercial use.
Examples
- "Closed-Source"
- "Comercial"
- "commercial open source"
- "http://www.fusioncharts.com/buy/"
- "TeamMentor Commercial License"
- [{"type":"Closed Source"}]
- [{"type":"Commercial","url":"http://www.nimblescript.com/modules/mockupsNode/license.txt"}]
- Closed Source
- Commercial property
- https://www.froala.com/wysiwyg-editor/pricing
- Non Free
Not-Provided
Description
Existing License.
Licenses or License Strings which are known licenses but the obligations have not been researched and categorized by the Sonatype research team.
Examples
- "CC BY-NC 4.0"
- "ChengQianLicense"
- "CRAPL"
- "DataTiger Fair Source License"
- "Dojo"
- "GeoNutzV-Berlin"
- "StrongLoop"