Understanding Risk Score Attribution and License Analysis

Overview

This topic describes the information provided on the License Details screen (Risk Score Attribution), and License Analysis.

Risk Score Attribution

License Risk Scores

The following table contains a list of licenses with detailed copyright risk scores as provided by WhiteSource

License

Copyright Risk Score

License

Copyright Risk Score

Academic 3.0

39

AGPL 3.0

91

Apache 1.0

39

Apache 1.1

39

Apache 2.0

39

Apple 2.0

52

Artistic 2.0

65

Attribution Assurance

39

Beerware

39

Boost

39

Bouncy Castle

39

BSD 2

39

BSD 3

39

BSD 4

39

CC BY 1.0

39

CC BY SA 4.0

39

CDDL 1.0

52

CDDL 1.1

52

CNRI Jython

39

Common Public 1.0

52

Computer Associates

65

Eclipse 1.0

65

Eclipse 2.0

65

EDL 1.0

39

Educational 2.0

39

Eiffel Forum 2.0

39

Entessa

39

EU DataGrid

39

Frameworx 1.0

78

Golang BSD + Patents

39

GPL 1.0

78

GPL 2.0

78

GPL 2.0 Classpath

65

GPL 3.0

78

Historical Permission

39

IBM

39

Illinois/NCSA

39

ISC

39

LGPL 2.0

65

LGPL 2.1

65

LGPL 3.0

65

Lucent 1.02

39

Microsoft Public

65

Microsoft Reciprocal

52

MIT

39

Mozilla 1.0

65

Mozilla 1.1

65

Mozilla 2.0

65

NUnit

39

Open LDAP 2.4

39

OpenSSL

39

PostgreSQL

39

Public Domain

13

Python 2.0

39

Ruby

78

SIL Open Font 1.1

39

Unlicense

13

X.Net

39

Zlib

39

Parameter Definitions

This table provides the possible values WhiteSource uses to display Copyleft risk information.

Copyleft

Value

Description

Full

Copyleft on modifications as well as own code that uses the OSS

Partial

Copyleft applies only to modifications

No

Not a Copyleft license

 

This table describes the Copyright risk scores.

Copyright Risk Score

Value

Description

Associated Risk

13

Licensee may use the code without restriction

LOW

26

Anyone who distributes the code must retain any attributions included in the original distribution

LOW

39

Anyone who distributes the code must provide certain notices, attributions and/or license terms in documentation with the software

LOW

52

Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge

LOW

65

Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. (example: LGPL)

MEDIUM

78

Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification. (example: GPL)

HIGH

91

Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero)

HIGH

 

This table describes the Patent and Royalty risk scores.

Patent & Royalty Risk Score

Value

Description

Associated Risk

20

Royalty-free and no identified patent risks

LOW

40

Royalty free unless litigated

LOW

60

No patents granted

MEDIUM

80

Specific identified patent risks

HIGH

 

This table describes the license Linking values.

Linking

Value

Description

Viral

Royalty-free and no identified patent risks

Non-Viral

Royalty-free unless litigated

Dynamic

No patents granted

 

This table describes the Royalty values.

Royalty Free

Value

Description

Yes

Royalty-free and no identified patent risks

Conditional

Royalty-free unless litigated

No

No patents granted

License Analysis

Risk & Remediation

Each license has been researched in order to determine and provide the following license risk information:

  1. Copyright Risk Score:  A measure of the copyright risk.

    1. Licensee may use code without restriction.

    2. Anyone who distributes the code must retain any attributions included in original distribution.

    3. Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software.

    4. Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. (example: LGPL)

    5. Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification. (example: GPL)

    6. Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero)

  2. Patent & Royalty Risk:  A measure of the patent and royalty risk.

    1. Royalty-free and no identified patent risks.

    2. Royalty-free unless litigated.

    3. No patents granted.

    4. Specific identified patent risks.

  3. Royalty Free:  Some licenses explicitly grant a patent license.  Some explicitly say they do not, e.g., ClearBSD.  Some condition the license on not being sued by the user, and if sued the license is revoked.

    1. Yes

    2. No

    3. Conditional

  4. Copyleft:  This is the main requirement of the GPL license, demanding that derivative work abide by same license of the OSS.  LGPL, and several other licenses are also copyleft. This is a somewhat fluid determination but can be used as a general guideline. We indicate that our determination may be incorrect and is given AS IS.

    1. Full:  CopyLeft on modifications as well as own code that uses the OSS.

    2. Partial:  CopyLeft applies only to modifications.

    3. No:  Not a CopyLeft license.

  5. Linking:  This is the main addition of LGPL, allowing other programs to use the library through dynamic linking without infringing on the GPL license. Some other licenses allowing linking with them (dynamically or statically).

    1. Viral:  Will substantially infect the code linked to this OSS.

    2. Non-viral:  Will not affect the licensing of the linking code.

    3. Dynamic:  Dynamic linking will not infect.

  6. OSD Compliant:  Was the license reviewed and approved by the respective authority.

    1. Open Source Initiative

    2. GNU General Public License

    3. Free Software Foundation

    4. Debian Free Software Guidelines

    5. Fedora Project

NOTE:  This information is provided on an as-is basis and should be consulted with a legal advisor.

For example, LGPL 2.1 has the following risk factors:

Requirements

WhiteSource also provides "Required Notices" information for each license in order to indicate what information must be published, specified, retained, notified, etc. along with the license text itself.

For example, the LGPL 2.1 license should be published with the following requirements: