I have a couple decades of full stack developer experience including much use of open source. I have been tasked with helping my colleagues address attack vulnerabilities and licensing issues in their use of open source.
I have accessed our nexusIQ server by Sonatype Lifecycle release 103 site and am preparing to introduce my colleagues to your reports. I need answers to questions I anticipate before I address them.
I have found 3rd party libraries which as I read their licenses, I do not understand why your tool flagged them as license risks. Specifically, mysql : mysql-connector-java : 8.0.16 flagged as a level 8 “License-Copyleft” and org.opensaml : openws : 1.4.2-1 flagged “License-Commercial” threat level 7.
I could easily have misunderstood their licenses. Sonatype refers to the Apache license 2.0 and their Git Hub license page specifically grants Commercial use permission. The MySQL document says, "This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at Universal Permissive License FAQ or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
I need to be able to explain to my colleagues why these packages are license threats. I am sure that other such questions will arise. I chose these two in the hopes of understanding your process well enough to explain it.
Thank you very much.