Skip to main content

OSS licensing

preZero offers tools that help you view and manage the legal risks that arise when software developers leverage third-party, open-source software.

SBOM and licensing information

The software bill of materials (SBOM) generated by preZero is a complete list of all software components used by the application you submit to preZero for analysis. The SBOM includes third-party libraries and vendor-issued packages and displays the following details about each dependency:

  • The version used;
  • The type (e.g., npm for JavaScript packages or pypi for Python dependencies);
  • The license type;
  • The total number of CVEs the dependency introduces, as well as the number of reachable CVEs;
  • When preZero first identified the dependency as part of your application.

In short, the SBOM provides you with the information you need to determine your application's security and legal impact based on the dependencies your application leverages.

Obtaining licensing information

preZero offers you several ways to obtain licensing information for your open-source packages:

  • SBOM report: The SBOM report, which preZero generates for each application you submit, includes a column that displays the license for each dependency.

    Dashboard screen showing information that populates the SBOM report
  • API: preZero's List app findings endpoint returns the findings for an application, including the tags associated with each finding. The specific tag is keyed as package_license:

    {
    "ok": true,
    "response": {
    "scan": {...},
    "findings": [
    {
    "id": "25",
    "app": "hello_python",
    "type": "oss_vuln",
    ...
    "details": {},
    "tags": [
    {
    "key": "package_license",
    "value": "BSD-3-Clause"
    }
    ]
    }
    ]
    }
    }

Supported license types

Currently, preZero can detect licensing information for the following types of packages/modules:

LanguagePackage/Module Type
C#NuGet
GoGo modules
JavaMaven
JavaScriptnpm
PythonPyPI

Working with licensing information

preZero's build rules allow you to set limitations based on the licenses used by dependencies. For example, you can configure build rules so the build fails if the developer includes a package utilizing a certain license (e.g., fail the build if any package comes with an ISC license).