Open Source Package Unknown License

Bridgecrew policy ID: BC_LIC_2
Severity: LOW

Open Source Package Unknown Licenses

Description

Open source software licenses govern how others – besides the originator – can use, modify, or distribute software code. They grant other users the permission and rights to use or repurpose the code for new applications or to include the code in other projects.

Selecting an open source license type depends largely on the intention of the licensor or developer for use of the software.

Our OOTB compliance policy considers all approved SPDX licenses as a closed list of known licenses to define if they are compliant or not. An unknown or unfound license could still pose a liability risk and packages with unknown licenses should be examined before use.

If a license is not officially SPDX approved or not recognized (typos, unofficial name, license not found, private license, etc.) it will be scanned as an unknown license and considered a policy violation.