Skip to content

License Identification

Licensight always tries to automatically identify the Open Source license of a component. License information embedded into the SBOM is currently not considered. To identify licenses, the following algorithm is used:

  • Licensight identifies the repository manager used for the component (e.g. Maven, NPM, NuGet).
  • Licensight looks up the meta data of the component provided by the repository.
  • If the meta data of the component system contains the license, this is being considered.
  • If the meta data of the component contains a link to the corresponding repository in Github, Licensight will try to retrieve the license information and license text from Github.
  • If the license in the meta data and in Github are the same, this is assumed as a match and we store the license information accordingly.
  • If the license information between the repository and Github differs, we show a policy violation and allow the user to correct the license.
  • If the license information could not be retrieved, we show a policy violation and allow the user to manually store the license.
  • If a license has been set or overridden by a user, Licensight will not override this information and also assume it is correct.