Automatically choose whitelisted license in an "or" clause

Issue: Nexus firewall quarantines an artifact due to presence of banned license in dual license list.

For example -
Selected Version: 1.4.20
Type: maven
Group: org.jetbrains.kotlin
Artifact: kotlin-allopen
Extension: jar
Classifier: sources
Version: 1.4.20
Declared License: Apache-2.0
Observed License: GPL or NPL-1.1,BSD-3-Clause,Apache-2.0
Effective License: GPL or NPL-1.1,BSD-3-Clause,Apache-2.0
Highest Policy Threat: 10 within 2 policies
Highest CVSS Score: NA
Cataloged: 3 months ago
Match State: exact
Identification Source: Sonatype
Category: Build Tools/Compilers

This artifact have files with multiple licenses -
(a) GPL or NPL-1.1,
(b) BSD-3-Clause
© Apache-2.0

These three license groups have at least one whitelisted license -
NPL-1.1 ← whitelisted
BSD-3-Clause ← whitelisted
Apache-2.0 ← whitelisted

In this example, nexus iq should use whitelisted license in an “or” clause and should not block the component.

Has this request been reviewed and prioritized ? Would you be able to provide an ETA ?

Hi Jitendra, rather than whitelist the license would you be more interested in a feature that allowed you to set up rules to autoselect a license?

In other words you could define rules for Firewall or Lifecycle to always select a more permissive license when presented with a multi-select option. Or even go further and create rules that stated things like, “always select MIT if available in a multi-select”?

Would that also resolve this use case of having a component be quarantined because one of the licenses in a multi-select is restrictive / copyleft?

I ask because we’re looking to start discovery on a rules based license selection feature in the Q3 / Q4-ish timeframe.

The proposal “have rules to always select a more permissive license when presented with a multi-select option” will satisfy our requirements.

I am curious whether you all are looking at implementing this feature. I think it would be really helpful to minimize the noise for certain types of components that are frequently dual licensed.