OSS licensing
preZero offers tools that help you view and manage the legal risks that arise when software developers leverage third-party, open-source software.
SBOM and licensing information
The software bill of materials (SBOM) generated by preZero is a complete list of all software components used by the application you submit to preZero for analysis. The SBOM includes third-party libraries and vendor-issued packages and displays the following details about each dependency:
- The version used;
- The type (e.g.,
npm
for JavaScript packages orpypi
for Python dependencies); - The license type;
- The total number of CVEs the dependency introduces, as well as the number of reachable CVEs;
- When preZero first identified the dependency as part of your application.
In short, the SBOM provides you with the information you need to determine your application's security and legal impact based on the dependencies your application leverages.
Obtaining licensing information
preZero offers you several ways to obtain licensing information for your open-source packages:
-
SBOM report: The SBOM report, which preZero generates for each application you submit, includes a column that displays the license for each dependency.
-
API: preZero's
List app findings
endpoint returns the findings for an application, including the tags associated with each finding. The specific tag is keyed aspackage_license
:{
"ok": true,
"response": {
"scan": {...},
"findings": [
{
"id": "25",
"app": "hello_python",
"type": "oss_vuln",
...
"details": {},
"tags": [
{
"key": "package_license",
"value": "BSD-3-Clause"
}
]
}
]
}
}
Supported license types
Currently, preZero can detect licensing information for the following types of packages/modules:
Language | Package/Module Type |
---|---|
C# | NuGet |
Go | Go modules |
Java | Maven |
JavaScript | npm |
Python | PyPI |
Working with licensing information
preZero's build rules allow you to set limitations based on the licenses used by dependencies. For example, you can configure build rules so the build fails if the developer includes a package utilizing a certain license (e.g., fail the build if any package comes with an ISC license).