I have a frontend application that is pulling a couple of proprietary dependencies from our nexus repository.
Sonatype Lifecycle will flag these dependencies for critical policy violations against “License-None” because these packages do not contain a licenses.
My solution was to set a constraint on the policy so a component is only in violation if "Proprietary is false".
I then tried to add a Proprietary Component on the Root Organization level that would match all my proprietary frontend packages.
The package names are all of the form ${companyName}-${packageName}, so I tried to configure a Matcher Type of “Package” with the value ${companyName}-.
This did not work, as my dependencies were still flagged as violating License-None.
Then I read through the Proprietary Components documentation and decided to try a RegEx Matcher for matching a particular filename which would turn the component proprietary.
I instructed our frontend teams to add an empty file named .${companyName}-proprietary to the root of each proprietary package and configured a matcher of type “Regular Expression” on that filename.
Still this did not work and the components are not correctly recognized as proprietary components.
So now my question: has anyone gotten something similar to work? Is the proprietary components matcher even implemented for npm packages, or is it just for Java?
Or am I completely on the wrong track here and misusing a feature for unintended purposes?
Any help would be appreciated, cause the current solution of issuing waivers per proprietary dependency, reaaally doesn’t scale well 
