> For the complete documentation index, see [llms.txt](https://docs.arnica.io/arnica-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.arnica.io/arnica-documentation/code-risks/3rd-party-package-licenses.md). # 3rd Party Package Licenses Arnica identifies license risks in your open source dependencies and surfaces violations based on each license's classification. By default, Arnica follows [Google's open source license classification framework](https://opensource.google/documentation/reference/thirdparty/licenses#types), with the option to customize classifications to fit your organization's compliance policy. ## Supported languages
LanguageFiles
.Netpackages.lock.json, packages.config, .deps.json
C, C++conan.lock
Elixirmix.lock
Gogo.mod
Javapom.xml, gradle.lockfile, build.gradle, build.gradle.kts, libs.versions.toml
JavaScript (including JSX, TSX, TypeScript)package-lock.json, yarn.lock, pnpm-lock.yaml, npm-shrinkwrap.json
PHPcomposer.lock
PythonPipfile.lock, poetry.lock, requirements.txt
RubyGemfile.lock
RustCargo.lock
Scalabuild.sbt
SwiftPodfile.lock
## License classifications Arnica organizes licenses into the following classification levels, each with a default risk severity: | Classification | Default Risk Severity | | -------------- | --------------------- | | Forbidden | High | | Restricted | High | | Reciprocal | Medium | | Exception | Medium | | Notice | None | | Permissive | None | | Unencumbered | None | | Unknown | None | ### Licenses by classification By default, licenses are classified by Arnica as follows:
ClassificationLicense
ForbiddenBUSL-1.1, CAL-1.0, CAL-1.0-Combined-Work-Exception, CC-BY-NC-1.0, CC-BY-NC-2.0, CC-BY-NC-2.5, CC-BY-NC-3.0, CC-BY-NC-3.0-DE, CC-BY-NC-4.0, CC-BY-NC-ND-1.0, CC-BY-NC-ND-2.0, CC-BY-NC-ND-2.5, CC-BY-NC-ND-3.0, CC-BY-NC-ND-3.0-DE, CC-BY-NC-ND-3.0-IGO, CC-BY-NC-ND-4.0, CC-BY-NC-SA-1.0, CC-BY-NC-SA-2.0, CC-BY-NC-SA-2.0-DE, CC-BY-NC-SA-2.0-FR, CC-BY-NC-SA-2.0-UK, CC-BY-NC-SA-2.5, CC-BY-NC-SA-3.0, CC-BY-NC-SA-3.0-DE, CC-BY-NC-SA-3.0-IGO, CC-BY-NC-SA-4.0, Commons Clause, Commons-Clause, CPAL-1.0, CPOL-1.02, EUPL-1.0, EUPL-1.1, EUPL-1.2, Facebook-2-Clause, Facebook-3-Clause, Facebook-Examples, SISSL, SISSL-1.2, Watcom-1.0
RestrictedAAL, Abstyles, AdaCore-doc, Adobe-2006, Adobe-Glyph, ADSL, Afmparse, Aladdin, AMDPLPA, AML, ANTLR-PD, ANTLR-PD-fallback, APAFML, APL-1.0, App-s2p, Arphic-1999, Baekmuk, Bahyph, Barr, BCL, Bitstream-Charter, Bitstream-Vera, BitTorrent-1.0, BitTorrent-1.1, blessing, BlueOak-1.0.0, Borceux, Brian-Gladman-3-Clause, BSD-4.3RENO, BSD-4.3TAHOE, BSD-Advertising-Acknowledgement, BSD-Attribution-HPND-disclaimer, BSD-Source-Code, bzip2-1.0.5, bzip2-1.0.6, Caldera, CATOSL-1.1, CC-BY-SA-1.0, CC-BY-SA-2.0, CC-BY-SA-2.0-UK, CC-BY-SA-2.1-JP, CC-BY-SA-2.5, CC-BY-SA-3.0, CC-BY-SA-3.0-AT, CC-BY-SA-3.0-DE, CC-BY-SA-4.0, CC-PDDC, CDL-1.0, CDLA-Permissive-1.0, CDLA-Permissive-2.0, CDLA-Sharing-1.0, CECILL-1.0, CECILL-1.1, CECILL-2.0, CECILL-2.1, CECILL-B, CERN-OHL-P-2.0, CERN-OHL-S-2.0, CERN-OHL-W-2.0, CFITSIO, checkmk, ClArtistic, Clips, CMU-Mach, CNRI-Jython, CNRI-Python, CNRI-Python-GPL-Compatible, COIL-1.0, Community-Spec-1.0, Condor-1.1, copyleft-next-0.3.0, copyleft-next-0.3.1, Cornell-Lossless-JPEG, Crossword, CrystalStacker, Cube, C-UDA-1.0, curl, D-FSL-1.0, diffmark, DL-DE-BY-2.0, DOC, Dotseqn, DRL-1.0, DSDP, dvipdfm, eCos-2.0, eGenix, Elastic-2.0, EPICS, ErlPL-1.1, etalab-2.0, Eurosym, FDK-AAC, FreeBSD-DOC, FSFAP, FSFUL, FSFULLR, FSFULLRWD, GD, GFDL-1.1, GFDL-1.1-invariants-only, GFDL-1.1-invariants-or-later, GFDL-1.1-no-invariants-only, GFDL-1.1-no-invariants-or-later, GFDL-1.1-only, GFDL-1.1-or-later, GFDL-1.2, GFDL-1.2-invariants-only, GFDL-1.2-invariants-or-later, GFDL-1.2-no-invariants-only, GFDL-1.2-no-invariants-or-later, GFDL-1.2-only, GFDL-1.2-or-later, GFDL-1.3, GFDL-1.3-invariants-only, GFDL-1.3-invariants-or-later, GFDL-1.3-no-invariants-only, GFDL-1.3-no-invariants-or-later, GFDL-1.3-only, GFDL-1.3-or-later, Giftware, GL2PS, Glide, Glulxe, GLWTPL, gnuplot, GPL-1.0, GPL-1.0+, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0, GPL-2.0+, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0-with-autoconf-exception, GPL-2.0-with-bison-exception, GPL-2.0-with-classpath-exception, GPL-2.0-with-font-exception, GPL-2.0-with-GCC-exception, GPL-3.0, GPL-3.0+, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0-with-autoconf-exception, GPL-3.0-with-GCC-exception, Graphics-Gems, gSOAP-1.3b, HaskellReport, Hippocratic-2.1, HP-1986, HPND-export-US, HPND-Markus-Kuhn, HPND-sell-variant, HPND-sell-variant-MIT-disclaimer, HTMLTIDY, IBM-pibs, ICU, IEC-Code-Components-EULA, IJG, IJG-short, iMatix, Imlib2, Info-ZIP, Intel-ACPI, Interbase-1.0, JasPer-2.0, JPL-image, JPNIC, JSON, Kazlib, Knuth-CTAN, LAL-1.2, LAL-1.3, Leptonica, LGPL-2.0, LGPL-2.0+, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1, LGPL-2.1+, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0, LGPL-3.0+, LGPL-3.0-only, LGPL-3.0-or-later, LGPLLR, libpng-2.0, libselinux-1.0, libtiff, libutil-David-Nugent, Linux-man-pages-copyleft, LOOP, LPPL-1.0, LPPL-1.1, LPPL-1.2, LPPL-1.3a, LPPL-1.3c, LZMA-SDK-9.11-to-9.20, LZMA-SDK-9.22, MakeIndex, Martin-Birgmeier, Minpack, mpich2, mpi-permissive, mplus, MS-LPL, MTLL, MulanPSL-1.0, Mup, NAIST-2003, NBPL-1.0, NCGL-UK-2.0, NetCDF, Net-SNMP, Newsletr, NGPL, NICTA-1.0, NIST-PD, NIST-PD-fallback, NLOD-1.0, NLOD-2.0, NLPL, NOSL, Noweb, NPL-1.0, NPL-1.1, NRL, NTP, NTP-0, Nunit, OCCT-PL, ODbL-1.0, ODC-By-1.0, OFFIS, OFL-1.0, OFL-1.0-no-RFN, OFL-1.0-RFN, OFL-1.1-no-RFN, OFL-1.1-RFN, OGC-1.0, OGDL-Taiwan-1.0, OGL-Canada-2.0, OGL-UK-1.0, OGL-UK-2.0, OGL-UK-3.0, OLDAP-1.1, OLDAP-1.2, OLDAP-1.3, OLDAP-1.4, OLDAP-2.0, OLDAP-2.0.1, OLDAP-2.1, OLDAP-2.2, OLDAP-2.2.1, OLDAP-2.2.2, OLDAP-2.3, OLDAP-2.4, OLDAP-2.5, OLDAP-2.6, OLDAP-2.7, OML, OpenPBS-2.3, OPL-1.0, OPUBL-1.0, OSL-1.0, OSL-1.1, OSL-2.0, OSL-2.1, OSL-3.0, O-UDA-1.0, Parity-6.0.0, Parity-7.0.0, PDDL-1.0, Plexus, PolyForm-Noncommercial-1.0.0, PolyForm-Small-Business-1.0.0, psfrag, psutils, Python License, Qhull, QPL-1.0, QPL-1.0-INRIA-2004, Rdisc, RHeCos-1.1, RSA-MD, Saxpath, SAX-PD, SCEA, SchemeReport, Sendmail, Sendmail-8.23, SHL-0.5, SHL-0.51, Sleepycat, SMLNJ, SMPPL, SNIA, snprintf, Spencer-86, Spencer-94, Spencer-99, SSH-OpenSSH, SSH-short, SSPL-1.0, StandardML-NJ, SugarCRM-1.1.3, SunPro, SWL, Symlinks, TAPR-OHL-1.0, TCL, TCP-wrappers, TMate, TORQUE-1.1, TOSL, TPDL, TPL-1.0, TTWL, TU-Berlin-1.0, TU-Berlin-2.0, UCAR, Vim, VOSTROM, w3m, Wsuipa, wxWindows, Xerox, XFree86-1.1, xinetd, xlock, xpp, XSkat, YPL-1.0, YPL-1.1, Zed, Zimbra-1.3, Zimbra-1.4
ReciprocalAPSL-1.0, APSL-1.1, APSL-1.2, APSL-2.0, CDDL-1.0, CDDL-1.1, CECILL-C, CERN-OHL-1.2, CPL-1.0, CUA-OPL-1.0, EPL-1.0, EPL-2.0, FreeImage, IPL-1.0, MPL-1.0, MPL-1.1, MPL-2.0, MPL-2.0-no-copyleft-exception, MS-RL, Ruby
ExceptionCC-BY-ND-1.0, CC-BY-ND-2.0, CC-BY-ND-2.5, CC-BY-ND-3.0, CC-BY-ND-3.0-DE, CC-BY-ND-4.0, CERN-OHL-1.1, Latex2e, OFL-1.1
NoticeAFL-1.1, AFL-1.2, AFL-2.0, AFL-2.1, AFL-3.0, AMPAS, Apache-1.0, Apache-1.1, Apache-2.0, Artistic-1.0, Artistic-1.0-cl8, Artistic-1.0-Perl, Artistic-2.0, ASL-1.0, Beerware, BSD, BSD-1-Clause, BSD-2-Clause, BSD-2-Clause-FreeBSD, BSD-2-Clause-NetBSD, BSD-2-Clause-Patent, BSD-2-Clause-Views, BSD-3-Clause, BSD-3-Clause-Attribution, BSD-3-Clause-Clear, BSD-3-Clause-LBNL, BSD-3-Clause-Modification, BSD-3-Clause-No-Military-License, BSD-3-Clause-No-Nuclear-License, BSD-3-Clause-No-Nuclear-License-2014, BSD-3-Clause-No-Nuclear-Warranty, BSD-3-Clause-Open-MPI, BSD-4-Clause, BSD-4-Clause-Shortened, BSD-4-Clause-UC, BSD-Protection, BSL-1.0, CC-BY-1.0, CC-BY-2.0, CC-BY-2.5, CC-BY-2.5-AU, CC-BY-3.0, CC-BY-3.0-AT, CC-BY-3.0-DE, CC-BY-3.0-IGO, CC-BY-3.0-NL, CC-BY-3.0-US, CC-BY-4.0, ECL-2.0, EDL-1.0, EFL-1.0, EFL-2.0, FTL, HPND, ImageMagick, ISC, ISC License, Libpng, LIL, Lil-1.0, Linux-OpenIB, LPL-1.0, LPL-1.02, MIT, MIT-0, MIT-advertising, MIT-CMU, MIT-enna, MIT-feh, MIT-Modern-Variant, MITNFA, MIT-open-group, MIT-Wu, MS-PL, NCSA, OLDAP-2.8, OpenSSL, PHP-3.0, PHP-3.01, PIL, PostgreSQL, PSF-2.0, Python-2.0, Python-2.0.1, Python-2.0-complete, SGI-B-1.0, SGI-B-1.1, SGI-B-2.0, Unicode-DFS-2015, Unicode-DFS-2016, Unicode-TOU, UPL-1.0, W3C, W3C-19980720, W3C-20150513, WTFPL, X11, X11-distribute-modifications-variant, Xnet, Zend-2.0, Zlib, zlib-acknowledgement, ZPL-1.1, ZPL-2.0, ZPL-2.1
UnencumberedOBSD, CC0-1.0, Public Domain, Unlicense
UnknownAG-Grid, amazon-software-lic-for-amazon-dynamodb-lock-client, amCharts-Free, AppOptics-Java-Agent, Aspose-EULA, ASPSecurityKit-Khosla-Tech, bpmn.io, Chilkat-Software, Conviva, DBAD, Dom4J, ECL-1.0, Entessa, EUDatagrid, Facebook-Platform, Fair, Frameworx-1.0, Froala-Editor, FsUnit, Go, H2-Database-1.0, Highsoft, HSQLDB, Image-Components-SDK, Indiana-University-Extreme-Lab-1.2, Intel, IPA, Jam, JTA, LiLiQ-P-1.1, LiLiQ-R-1.1, LiLiQ-Rplus-1.1, LLVM-exception, Microsoft-.NET-Library, Microsoft-.NET-Library-AspNetComponent-EULA, Microsoft-ASP.NET-Model-View-Controller-4-EULA, Microsoft-AspNet-MVC3-Update-EULA, Microsoft-EULA, Microsoft-Lightswitch-Client-Javascript-Runtime, Microsoft-Visual-Studio-Sharepoint-Emulators, Microsoft-Web-WebView2, MirOS, Motosoto, MulanPSL-2.0, Multics, NASA-1.3, Naumen, Neodynamic, Nokia, No-License, NorthwoodsSoftware-EULA, NPOSL-3.0, OCLC-2.0, OGTSL, Oracle-Technology-Network, OSET-PL-2.1, PayPal-SDK, Protobuf, Resizer-Freedom, RPL-1.1, RPL-1.5, RPSL-1.0, RSCPL, SimPL-2.0, SpecFlow-EULA, SPL-1.0, UCL-1.0, UnboundID-LDAP-SDK-Free, Unspecified-Commercial, VSL-1.0
## Customizing license policies License classification risk levels can be adjusted, and individual licenses can be explicitly overridden as forbidden or approved. {% hint style="warning" %} Changes take effect the next time a full source code scan runs (daily on paid plans) or on the next event triggered by the [code risk policy](/arnica-documentation/code-risks/code-risk-policy-settings.md), such as a code push or pull request. {% endhint %} ### Modify risk severity 1. Navigate to the [policies page](https://app.arnica.io/#/admin/policy-v2) and expand **Code Risks** then **Licenses**. 2. Change the risk severity of any classification level by clicking the preferred severity chip. 3. Click **Save** at the bottom of the policy section.

License classification and overrides policy

### Override forbidden and approved licenses Individual licenses can be explicitly marked as forbidden or approved, regardless of their classification level. 1. Navigate to the [policies page](https://app.arnica.io/#/admin/policy-v2) and expand **Code Risks** then **Licenses**. 2. Click the **+** next to **Forbidden** or **Approved** in the Overrides panel. 3. Search for and select the license.

License override search

4. The selected licenses appear in the overrides section. Validate and click **Save** at the bottom of the policy section.

Overridden licenses

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.arnica.io/arnica-documentation/code-risks/3rd-party-package-licenses.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.