Versions Compared

Old Version 19

changes.mady.by.user Michelle Friedman

Saved on

compared with

New Version Current

changes.mady.by.user Michelle Friedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Overview

This topic describes the information provided on the License Details screen (Risk Score Attribution), and License Analysis.

Risk Score Attribution

License Risk Scores

The following table contains a list of licenses with detailed copyright risk scores as provided by Mend:

...

License

...

Copyright Risk Score

...

Academic 3.0

...

39

...

AGPL 3.0

...

91

...

Apache 1.0

...

39

...

Apache 1.1

...

39

...

Apache 2.0

...

39

...

Apple 2.0

...

52

...

Artistic 2.0

...

65

...

Attribution Assurance

...

39

...

Beerware

...

39

...

Boost

...

39

...

Bouncy Castle

...

39

...

BSD 2

...

39

...

BSD 3

...

39

...

BSD 4

...

39

...

CC BY 1.0

...

39

...

CC BY SA 4.0

...

39

...

CDDL 1.0

...

52

...

CDDL 1.1

...

52

...

CNRI Jython

...

39

...

Common Public 1.0

...

52

...

Computer Associates

...

65

...

Eclipse 1.0

...

65

...

Eclipse 2.0

...

65

...

EDL 1.0

...

39

...

Educational 2.0

...

39

...

Eiffel Forum 2.0

...

39

...

Entessa

...

39

...

EU DataGrid

...

39

...

Frameworx 1.0

...

78

...

Golang BSD + Patents

...

39

...

GPL 1.0

...

78

...

GPL 2.0

...

78

...

GPL 2.0 Classpath

...

65

...

GPL 3.0

...

78

...

Historical Permission

...

39

...

IBM

...

39

...

Illinois/NCSA

...

39

...

ISC

...

39

...

LGPL 2.0

...

65

...

LGPL 2.1

...

65

...

LGPL 3.0

...

65

...

Lucent 1.02

...

39

...

Microsoft Public

...

65

...

Microsoft Reciprocal

...

52

...

MIT

...

39

...

Mozilla 1.0

...

65

...

Mozilla 1.1

...

65

...

Mozilla 2.0

...

65

...

NUnit

...

39

...

Open LDAP 2.4

...

39

...

OpenSSL

...

39

...

PostgreSQL

...

39

...

Public Domain

...

13

...

Python 2.0

...

39

...

Ruby

...

78

...

SIL Open Font 1.1

...

39

...

Unlicense

...

13

...

X.Net

...

39

...

Zlib

...

39

Parameter Definitions

This table provides the possible values Mend uses to display Copyleft risk information.

...

Copyleft

...

Value

...

Description

...

Full

...

Copyleft on modifications as well as own code that uses the OSS

...

Partial

...

Copyleft applies only to modifications

...

No

...

Not a Copyleft license

This table describes the Copyright risk scores.

...

Copyright Risk Score

...

Value

...

Description

...

Associated Risk

...

13

...

Licensee may use the code without restriction

...

LOW

...

26

...

Anyone who distributes the code must retain any attributions included in the original distribution

...

LOW

...

39

...

Anyone who distributes the code must provide certain notices, attributions and/or license terms in documentation with the software

...

LOW

...

52

...

Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge

...

LOW

...

65

...

Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. (example: LGPL)

...

MEDIUM

...

78

...

Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification. (example: GPL)

...

HIGH

...

91

...

Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero)

...

HIGH

This table describes the Patent and Royalty risk scores.

...

Patent & Royalty Risk Score

...

Value

...

Description

...

Associated Risk

...

20

...

Royalty-free and no identified patent risks

...

LOW

...

40

...

Royalty free unless litigated

...

LOW

...

60

...

No patents granted

...

MEDIUM

...

80

...

Specific identified patent risks

...

HIGH

This table describes the license Linking values.

...

Linking

...

Value

...

Description

...

Viral

...

Royalty-free and no identified patent risks

...

Non-Viral

...

Royalty-free unless litigated

...

Dynamic

...

No patents granted

This table describes the Royalty values.

...

Royalty Free

...

Value

...

Description

...

Yes

...

Royalty-free and no identified patent risks

...

Conditional

...

Royalty-free unless litigated

...

No

...

No patents granted

License Analysis

Risk & Remediation

Each license has been researched in order to determine and provide the following license risk information:

  1. Copyright Risk Score:  A measure of the copyright risk.

    1. Licensee may use code without restriction.

    2. Anyone who distributes the code must retain any attributions included in original distribution.

    3. Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software.

    4. Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. (example: LGPL)

    5. Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification. (example: GPL)

    6. Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero)

  2. Patent & Royalty Risk:  A measure of the patent and royalty risk.

    1. Royalty-free and no identified patent risks.

    2. Royalty-free unless litigated.

    3. No patents granted.

    4. Specific identified patent risks.

  3. Royalty Free:  Some licenses explicitly grant a patent license.  Some explicitly say they do not, e.g., ClearBSD.  Some condition the license on not being sued by the user, and if sued the license is revoked.

    1. Yes

    2. No

    3. Conditional

  4. Copyleft:  This is the main requirement of the GPL license, demanding that derivative work abide by same license of the OSS.  LGPL, and several other licenses are also copyleft. This is a somewhat fluid determination but can be used as a general guideline. We indicate that our determination may be incorrect and is given AS IS.

    1. Full:  CopyLeft on modifications as well as own code that uses the OSS.

    2. Partial:  CopyLeft applies only to modifications.

    3. No:  Not a CopyLeft license.

  5. Linking:  This is the main addition of LGPL, allowing other programs to use the library through dynamic linking without infringing on the GPL license. Some other licenses allowing linking with them (dynamically or statically).

    1. Viral:  Will substantially infect the code linked to this OSS.

    2. Non-viral:  Will not affect the licensing of the linking code.

    3. Dynamic:  Dynamic linking will not infect.

  6. OSD Compliant:  Was the license reviewed and approved by the respective authority.

    1. Open Source Initiative

    2. GNU General Public License

    3. Free Software Foundation

    4. Debian Free Software Guidelines

    5. Fedora Project

NOTE:  This information is provided on an as-is basis and should be consulted with a legal advisor.

For example, LGPL 2.1 has the following risk factors:

...

Requirements

Mend also provides "Required Notices" information for each license in order to indicate what information must be published, specified, retained, notified, etc. along with the license text itself.

For example, the LGPL 2.1 license should be published with the following requirements:

...

This page is available at: https://docs.mend.io/bundle/sca_user_guide/page/understanding_risk_score_attribution_and_license_analysis.html