FOSSA’s license detection capabilities have long been regarded as the most comprehensive and accurate on the market. This is the case for a variety of reasons, including the fact that, unlike other tools, FOSSA goes well beyond reviewing what’s declared in project manifest files to surface all licenses and obligations.
Over the years, we’ve also prioritized building as many automations as possible into our license compliance management workflow, to save our customers time. For example, we’ve eliminated the need to manually compile license notices, inventory dependencies, sign off on open source usage requests from developers, and more.
The principles at the core of these innovations — to provide the most accurate license inventory possible, and to automate as much as possible — are what inspired today’s announcement of a feature we think will make a big difference for our license compliance customers.
FOSSA License Concluded is a new capability that gives organizations the ability to automate the previously manual work of analyzing multiple licenses associated with a single dependency — and, where legally appropriate, conclude to a single, dominant license. Modeled after the “PackageLicenseConcluded” field in the SPDX SBOM format, the intent of FOSSA License Concluded is to simplify your analysis in scenarios where multiple licenses are associated with a specific dependency — while, of course, maintaining essential compliance workflows.
In this blog, we’ll explain why we built License Concluded, how to get started using it, and how to customize its implementation to meet your organization’s needs.
Why FOSSA License Concluded
If you visit the GitHub repository of a popular open source project, you’ll often see a file named LICENSE.txt.This file (and other, similar file types) communicates the declared license — e.g. what the maintainer selects as the license that governs their code — for the open source project.
However, your license compliance obligations don’t end with the declared license. They also extend to any discovered licenses.
Consider, for example, a hypothetical where FOSSA detects a GPL-licensed file within an open source project that’s under a declared MIT license. In this case, even though the project’s stated license is MIT, the end-user will be responsible for complying with both MIT and GPL.
This is why you’ll sometimes see that FOSSA reports many different licenses associated with a particular open source component.
Of course, there are times when surfacing each and every discovered license can create a lot of noise for compliance professionals; certain licenses (such as those governing test files) can be safely ignored, and oftentimes producing a single compliance artifact (such as an attribution notice) can go a long way toward satisfying conditions in multiple licenses.
FOSSA License Concluded offers a new way for organizations to understand and focus on the licenses (and associated issues) that have the strongest claim to govern a particular open source component. It determines the dominant license for a project through a multi-step rating system that accounts for factors like:
- Whether the license is declared or discovered
- Where the license was found
- Any additional credible publicly available data
- License conclusions made by trusted and verified compliance teams that are part of the broader FOSSA user base
Depending on an organization’s implementation of FOSSA License Concluded (which we’ll discuss in more detail later in this post), expected outcomes include a reduction in the number of Licensing Issues, plus more clarity and context on governing license throughout the FOSSA UI.
How to Use FOSSA License Concluded:
To get started using License Concluded, organizations will first need to turn on the feature. You can do this by navigating to your organization’s settings page within the FOSSA application.
Once enabled, License Concluded will take effect following your next FOSSA dependency analysis.
At that point, the first place you’ll likely see FOSSA License Concluded in action is on your project’s dependencies page. In addition to viewing the declared and discovered licenses associated with each dependency, you’ll now see the concluded license as well (denoted with a green check mark, as in the screenshot below).
To see additional context about why FOSSA concluded to a specific license, you can click into the “Licenses” tab of a particular dependency. Note that you can also manually conclude to a different license than the one FOSSA recommends from this “Licenses” tab. (Or conclude to multiple licenses or no license at all).
When it comes to integrating License Concluded into your workflows, we’re providing three different implementation methods with varying degrees of balance between automation and manual oversight.
License Concluded: Full Implementation
The full implementation approach will result in the following changes to your experience with FOSSA:
- Issue Scanning: Choose to only include issues associated with concluded licenses during scans; this will likely result in a significantly lower number of licensing issues since it automatically ignores issues associated with declared and discovered licenses.
- Report Generation: Choose to only include the concluded license for a particular dependency in your reports. This will likely result in significantly shorter reports than when including both declared and discovered.
(Note that you should make sure to follow Steps 3 and 4 in the next section, “Getting Started with FOSSA License Concluded,” to achieve a full implementation.)
License Concluded: Partial implementation
A partial implementation would utilize License Concluded during issue scans, but continue to display all declared and discovered licenses in reports.
Alternatively, display only concluded licenses in reports, but continue to surface issues associated with all declared and discovered licenses during issue scans.
License Concluded: Minimal Implementation
The minimal implementation approach makes no changes to your existing reporting or issue creation workflows. The only difference you’ll see is in the “Dependencies” tab of the FOSSA UI, which will now communicate the concluded license (along with the declared and discovered licenses) for each component.
Getting Started with FOSSA License Concluded
License Concluded is controlled at the policy level within FOSSA. This allows for an extra layer of customizability — for example, you may decide to focus only on issues from concluded licenses in a SaaS product but include issues from declared, discovered, and concluded licenses in a mobile app.
Here’s how configuring License Concluded works (once you’ve enabled it in your organization’s settings and triggered your first scan with the feature turned on):
- Get started by visiting the "Policies" tab in the FOSSA application.
- Then, select the Policy where you'd like to enable License Concluded.
- To only see issues from concluded licenses in your licensing issues: Click on the "Settings" tab from your selected Policy page, and turn on the "Intelligent Auto-Ignore" toggle. This setting means FOSSA will only create active issues for concluded licenses, not declared or discovered ones.
- To include concluded licenses in your licensing reports: Check the "Concluded License" box in the "Dependency Metadata" on the right side of the "Reports" page. You can also include or exclude Declared and Discovered licenses from your report by checking or unchecking those boxes.
- Follow the same process for including concluded licenses in your SBOM. For SPDX-formatted SBOMs, concluded licenses will be communicated in the
packageLicenseConcludedfield. For CycloneDX-formatted SBOMs, concluded licenses will be communicated in theacknowledgementfield.
If you’re a current FOSSA customer who would like more information about the License Concluded feature, please feel free to contact your customer success contact. If you aren’t currently a FOSSA customer, please contact our team to learn more.