OSS License Enhancements

Sonatype is excited to announce significant enhancements to our OSS License detection system that improves coverage, accuracy, and data delivery.

The enhancements will go live on April 22, 2019. Once active, all application scans will access the new detection system.

How does this change benefit my organization?

Users will now have access to nearly 500 new licenses with further increased coverage around the corner (see below). You can view a list of those licenses grouped by Sonatype default LTG classification here. Note: By design, licenses will not be assigned to the default LTGs in existing IQ Server instances.

In addition, new license requests will now be processed significantly faster as a result of the enhancements to our license detection system.

How are licenses made available to my Nexus IQ Server?

All application scans occurring on or after April 22, 2019 will receive the new results. If any artifacts contained in those scans is identified with a new license, this will trigger a download of all new licenses to your local IQ Server. New licenses will be displayed in the Component Information Panel (CIP) for applicable artifacts and available in the License Threat Groups tab within the Organizations and Policies view.

If you wish to proactively download all new licenses, simply restart your IQ Server. Once restarted, all new licenses will be available in the License Threat Groups tab within the Organizations and Policies view.

What is the impact of these improvements to my organization?

You will see enhanced License coverage and accuracy upon a scan of new or existing application reports. As a result:

  • You will notice a change in License policy violation count across various artifacts within an application report due to enhanced license detections.
    • Licensing on an artifact has changed e.g. License A is now License B
    • Licensing on an artifact has been added e.g. License A is now License A & B
    • Licensing on an artifact has been declared e.g. Not Provided is now License A
  • If you are using the Sonatype Reference Policy
    • You will notice an increase in “License-Threat Not Assigned” violations due to new licenses not belonging to a LTG.
    • You will notice a reduction in License-None policy violations due to enhanced license coverage and accuracy.
  • You will need to update your License Threat Groups (LTGs) to assign the newly added licenses according to your organizational standards. You can view a complete list of new licenses here.

IMPORTANT NOTE: When new policy violations are triggered, any enforcement actions (warn/fail) configured to that policy will also be triggered. For example, if a “Fail” action is configured for the Build Stage, developer builds will fail.

What are the proactive measures to help prepare for the update?

Since all application scans occurring on or after April 22, 2019 will receive the new results, here are a few recommendations on how best to prepare:

  • Communicate these License improvements to your developers.
  • Consider disabling enforcement actions across your policies to provide each team sufficient time to assess the new findings prior to failing a development stage.
  • Since this update includes both expanded coverage of new license data and enhanced accuracy of existing license data, it will be difficult to compare the new report to an old one. For a list of the new policy violations, resulting from the update, simply configure policy notifications. Since notifications only include new violations, this approach will ensure the recipient will receive a notification that lists each of the new policy violations for a given application resulting from the update.
  • Export a snapshot of the Dashboard View Application Tab to provide high level comparison following the update.
  • If you are not using the Sonatype Reference Policy, you may consider adding the “License-Threat Not Assigned” policy with the below configuration. This will trigger a violation for any licenses scanned that are not assigned to an LTG. You may also consider configuring a notification to the appropriate party that can take action to assign these.

Can I reevaluate all applications at once?

In the case where applications are built infrequently, resulting in a time gap between scans, it may be beneficial to initiate a “Reevaluate” of applications from the Administrator port.

This will first require Continuous Monitoring is configured for all applications in scope.

You can then trigger continuous monitoring to manually run immediately by issuing the following request to the IQ Servers administrative port (default is 8071):

$ curl -X POST http://localhost:8071/tasks/triggerPolicyMonitor

The following response will indicate it is complete: Completed manual Policy Monitor execution

You will need access to the administrative port used for IT debugging and operations, not the usual IQ Server administrator role.

IMPORTANT NOTE: The IQ Server may experience a temporary performance impact in cases where Reevaluate is triggered across a large number of applications. We advise planning this for a period of downtime or decreased developer activity.

Is there a place I can reference all Sonatype default license classifications?

Yes! Our License Obligation Review Tool (LORT) allows you to do that and more. You can view all supported licenses, license text, license obligations, and LTG classification.

To access LORT you must be a Sonatype customer. Please reach out to your Customer Success Engineer (CSE) for access.

How often does Sonatype provide these data updates?

Utilizing a combination of automated and in-depth manual research, Sonatype Data Research provides continuous updates made immediately available to all IQ Server instances through Sonatype Data Services.

Given the complexities, when necessary, Sonatype will provide significant updates outside of the aforementioned continuous process. In these exceptional cases, we take care to inform you by providing an explanation of the update, sufficient lead time to communicate across your organization, and proactive guidance on how best to prepare.

What other License enhancements are planned?

We are planning an update in the May timeframe which will provide further increased coverage of OSS Licenses. This will be smaller in scope than the April 22nd update. We will provide customers with advanced notice of the update. Stay tuned!

Continuous updates will continue to be made available to all IQ Server instances through Sonatype Data Services in parallel to these types of larger enhancements.

Where can I ask additional questions?

You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will empower you to create and reply to other threads initiated by both the Sonatype team and your community peers. Notifications can be easily configured to ensure you are aware of updates for a specific thread and/or important announcements within the Community.

Chris - I can’t access the list of new licenses, can you either provide them or give me access?.
Also, I’d like to know more about the LORT tool to review licenses and license threat groups, I’ll reach out to Paige our customer success engineer about that