Skip to main content

OSS licensing

Qwiet AI by Harness offers tools that help you view and manage the legal risks that arise when software developers leverage third-party, open-source software.

SBOM and licensing information

The software bill of materials (SBOM) generated by Qwiet AI by Harness is a complete list of all software components used by the application you submit to Qwiet AI by Harness for analysis. The SBOM includes third-party libraries and vendor-issued packages and displays the following details about each dependency:

  • The version used;
  • The type (e.g., npm for JavaScript packages or pypi for Python dependencies);
  • The license type;
  • The total number of CVEs the dependency introduces, as well as the number of reachable CVEs;
  • When Qwiet AI by Harness first identified the dependency as part of your application.

In short, the SBOM provides you with the information you need to determine your application's security and legal impact based on the dependencies your application leverages.

Obtaining licensing information

Qwiet AI by Harness offers you several ways to obtain licensing information for your open-source packages:

  • SBOM report: The SBOM report, which Qwiet AI by Harness generates for each application you submit, includes a column that displays the license for each dependency.

    Dashboard screen showing information that populates the SBOM report

  • API: The Qwiet AI by Harness List app findings endpoint returns the findings for an application, including the tags associated with each finding. The specific tag is keyed as package_license:

    {
        "ok": true,
        "response": {
            "scan": {...},
            "findings": [
                {
                    "id": "25",
                    "app": "hello_python",
                    "type": "oss_vuln",
                    ...
                    "details": {},
                    "tags": [
                        {
                            "key": "package_license",
                            "value": "BSD-3-Clause"
                        }
                    ]
                }
            ]
        }
    }

Supported license types

Currently, Qwiet AI by Harness can detect licensing information for the following types of packages/modules:

LanguagePackage/Module Type
C#NuGet
GoGo modules
JavaMaven
JavaScriptnpm
PythonPyPI

Working with licensing information

The Qwiet AI by Harness build rules allow you to set limitations based on the licenses used by dependencies. For example, you can configure build rules so the build fails if the developer includes a package utilizing a certain license (e.g., fail the build if any package comes with an ISC license).