Skip to main content

License Scanning

Lacework’s Software Composition Analysis (SCA) tool can detect the licenses found in your software projects based on the 3rd party packages you are importing. License compliance is a critical facet of software audits that may be required by your organization, either regularly or at specific points in time.

Similar to vulnerability analysis, it is easier to fix license compliance risks earlier in the development process, and Lacework’s SCA tool can be configured to analyze licenses and inform developers when preparing to publish new code via Pull Request comments or locally via the Lacework CLI.

Supported Package Managers

Currently, our SCA license scanning supports the following package managers:

  • NPM
  • Maven
  • Pypi
  • Go

Creating a License Compliance Policy

Lacework SCA currently relies on a YAML-based configuration. The advantage of the YAML-based configuration is that you can set custom license compliance requirements for a unique subset of projects within your code base. In the future, we plan to have a UI-based policy management system.

By default, Lacework SCA looks in the following directory for the config yaml file: ~/.config/lacework/components/sca/sca.config.yaml

Configure the License Compliance Policy

To configure a license compliance policy, locate and open the sca.config.yaml file found in the `~/.config/lacework/components/sca directory.

Then, paste in the contents from the following config.yaml template and customize the configuration.

config.yaml File Template

environments:
  - name: default
    licenses-not-allowed: []
    license-categories-not-allowed: []
  - name: demo
    licenses-not-allowed: []
    license-categories-not-allowed: [forbidden, restricted]

Custom License Compliance Policy Configuration

To customize the behavior of license scanning, you can modify the example config.yaml file based on the following variables:

licenses-not-allowed

To scan for specific licenses in your software projects, enter the license name(s) using Google's conventions. If you are listing more than one, separate the names with a comma. For example: ["Unlicense", "OpenSSL"]

license-categories-not-allowed

A license category is group of licenses as determined by Google's license classifier. Available categories include:

forbidden - licenses that cannot be used
  • AGPL-3.0
    • restricted - licenses in this category must have source distribution
  • AGPL-1.0
  • CC-BY-NC-1.0
  • CC-BY-NC-2.0
  • CC-BY-NC-2.5
  • CC-BY-NC-3.0
  • CC-BY-NC-4.0
  • CC-BY-NC-ND-1.0
  • CC-BY-NC-ND-2.0
  • CC-BY-NC-ND-2.5
  • CC-BY-NC-ND-3.0
  • CC-BY-NC-ND-4.0
  • CC-BY-NC-SA-1.0
  • CC-BY-NC-SA-2.0
  • CC-BY-NC-SA-2.5
  • CC-BY-NC-SA-3.0
  • CC-BY-NC-SA-4.0
  • Commons-Clause
  • Facebook-2-Clause
  • Facebook-3-Clause
  • Facebook-Examples
  • WTFPL
  • BCL
  • CC-BY-ND-1.0
  • CC-BY-ND-2.0
  • CC-BY-ND-2.5
  • CC-BY-ND-3.0
  • CC-BY-ND-4.0
  • CC-BY-SA-1.0
  • CC-BY-SA-2.0
  • CC-BY-SA-2.5
  • CC-BY-SA-3.0
  • CC-BY-SA-4.0
  • GPL-1.0
  • GPL-2.0
  • GPL-2.0-with-autoconf-exception
  • GPL-2.0-with-bison-exception
  • GPL-2.0-with-classpath-exception
  • GPL-2.0-with-font-exception
  • GPL-2.0-with-GCC-exception
  • GPL-3.0
  • GPL-3.0-with-autoconf-exception
  • GPL-3.0-with-GCC-exception
  • LGPL-2.0
  • LGPL-2.1
  • LGPL-3.0
  • NPL-1.0
  • NPL-1.1
  • OSL-1.0
  • OSL-1.1
  • OSL-2.0
  • OSL-2.1
  • OSL-3.0
  • QPL-1.0
  • Sleepycat
    • reciprocal - licenses can be used freely in an unmodified form
  • APSL-1.0
  • APSL-1.1
  • APSL-1.2
  • APSL-2.0
  • CDDL-1.0
  • CDDL-1.1
  • CPL-1.0
  • EPL-1.0
  • EPL-2.0
  • FreeImage
  • IPL-1.0
  • MPL-1.0
  • MPL-1.1
  • MPL-2.0
  • Ruby
    • notice - licenses that contain few restrictions. They allow third party software to be shipped
  • AFL-1.1
  • AFL-1.2
  • AFL-2.0
  • AFL-2.1
  • AFL-3.0
  • Apache-1.0
  • Apache-1.1
  • Apache-2.0
  • Artistic-1.0-cl8
  • Artistic-1.0-Perl
  • Artistic-1.0
  • Artistic-2.0
  • BSL-1.0
  • BSD-2-Clause-FreeBSD
  • BSD-2-Clause-NetBSD
  • BSD-2-Clause
  • BSD-3-Clause-Attribution
  • BSD-3-Clause-Clear
  • BSD-3-Clause-LBNL
  • BSD-3-Clause
  • BSD-4-Clause
  • BSD-4-Clause-UC
  • BSD-Protection
  • CC-BY-1.0
  • CC-BY-2.0
  • CC-BY-2.5
  • CC-BY-3.0
  • CC-BY-4.0
  • FTL
  • ISC
  • ImageMagick
  • Libpng
  • Lil-1.0
  • Linux-OpenIB
  • LPL-1.02
  • LPL-1.0
  • MS-PL
  • MIT
  • NCSA
  • OpenSSL
  • PHP-3.01
  • PHP-3.0
  • PIL
  • Python-2.0
  • Python-2.0-complete
  • PostgreSQL
  • SGI-B-1.0
  • SGI-B-1.1
  • SGI-B-2.0
  • Unicode-DFS-2015
  • Unicode-DFS-2016
  • Unicode-TOU
  • UPL-1.0
  • W3C-19980720
  • W3C-20150513
  • W3C
  • X11
  • Xnet
  • Zend-2.0
  • zlib-acknowledgement
  • Zlib
  • ZPL-1.1
  • ZPL-2.0
  • ZPL-2.1
    • unencumbered - Licenses that are "free for use"
  • CC010
  • Unlicense
  • ZeroBSD

    • Other license compliance categories include:

    • permissive (uncommon) - License compliance does not require a copyright notice
    • unknown
    • custom

    For example, if I wanted to scan for reciprocal licenses, SCA would report findings on the licenses that fall under the reciprocal license category.

    To view results for multiple license categories, use a comma separated list of category names. For example, ["forbidden", "restricted"].

    env more-licenses

    You can define and use the env more-licenses flag to report findings in forbidden, restricted, and reciprocal license categories and disable secret scanning.

    Define the env more-licenses Flag

    Before you can use the env more-licenses flag, you must define it in your config.yaml file. The following example config file defines more-licenses so that when you run the flag, we also check for reciprocal licenses in addition to forbidden and restricted license categories:

    default:
      sca:
          licenses-not-allowed: [ ]
          license-categories-not-allowed: [ forbidden, restricted ]
          secret: true
          
    more-licenses:
      sca:
          license-categories-not-allowed: [ reciprocal ]
          secret: false
    Use the env more-licenses Flag

    To use the env more-licenses flag, run the following command:

    lacework sca scan <DIR> -o sca.json --env more-licenses`

    Specify an Environment

    To further specify the environment that SCA scans, use the --env flag. For example, if I want to scan an environment called demo, my input would be similar to the following: lacework sca dir . -o sca.json --pull-deps --env demo.

    SCA License Scanning Results

    SCA license scanning outputs an SBOM with confidence. Therefore, if SCA finds a license you have listed, or a license that falls under a specified category, the SBOM will report the name of the license, and our confidence in that specific finding.