How does nexus IQ server by Sonatype Lifecycle release 103 determine license threat level

I have a couple decades of full stack developer experience including much use of open source. I have been tasked with helping my colleagues address attack vulnerabilities and licensing issues in their use of open source.

I have accessed our nexusIQ server by Sonatype Lifecycle release 103 site and am preparing to introduce my colleagues to your reports. I need answers to questions I anticipate before I address them.

I have found 3rd party libraries which as I read their licenses, I do not understand why your tool flagged them as license risks. Specifically, mysql : mysql-connector-java : 8.0.16 flagged as a level 8 “License-Copyleft” and org.opensaml : openws : 1.4.2-1 flagged “License-Commercial” threat level 7.

I could easily have misunderstood their licenses. Sonatype refers to the Apache license 2.0 and their Git Hub license page specifically grants Commercial use permission. The MySQL document says, "This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at Universal Permissive License FAQ or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.

I need to be able to explain to my colleagues why these packages are license threats. I am sure that other such questions will arise. I chose these two in the hopes of understanding your process well enough to explain it.

Thank you very much.

Hello @william.taylor, and welcome!

I am going to see if I can find out a bit more information for you but in the meantime, also wanted to note that you can report your question or issue at https://support.sonatype.com to receive licensed customer support as a Nexus Lifecycle user. This is one of the services your license pays for.

Thanks!

When multiple licenses may apply the violations will be based on all that may be applicable. If you’ve examined the licensing terms and determined to your satisfaction that Apache 2.0 applies in your situation you can use the license override feature to set the license, and clear the violation:

https://help.sonatype.com/iqserver/reporting/application-composition-report/component-license-information#ComponentLicenseInformation-Selecting,Overriding,andEditingLicenses

1 Like