Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security (IaC)
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Summary
  • Supported languages
  • Supported licenses
  • Classification levels
  • Licenses by classification levels

Was this helpful?

  1. Code Risks

3rd Party Package Licenses

PreviousSoftware Composition Analysis (SCA)NextOverride License Classifications

Last updated 1 year ago

Was this helpful?

Summary

Arnica can identify license risks and violations in 3rd party open source packages. By default, Arnica classifies the licenses according to , but also allows to to fit each customer's needs.

Supported languages

Language
Files

.Net

packages.lock.json, packages.config, .deps.json

C, C++

conan.lock

L

mix.lock

Go

go.mod

Java

pom.xml, gradle.lockfile, build.gradle, build.gradle.kts, libs.versions.toml

JavaScript (including JSX, TSX, TypeScript)

package-lock.json, yarn.lock, pnpm-lock.yaml, npm-shrinkwrap.json

PHP

composer.lock

Python

Pipfile.lock, poetry.lock, requirements.txt

Ruby

Gemfile.lock

Rust

Cargo.lock

Scala

Coming soon: build.sbt

Swift

Podfile.lock

Supported licenses

Classification levels

Arnica supports the following classification levels and defines default risk severity for each classification:

Classification
Default Risk Severity

Forbidden

High

Restricted

High

Reciprocal

Medium

Exception

Medium

Notice

None

Unencumbered

None

Unknown

None

Licenses by classification levels

By default, licenses are classified by Arnica as follows:

Classification
License

Forbidden

BUSL-1.1, CAL-1.0, CAL-1.0-Combined-Work-Exception, CC-BY-NC-1.0, CC-BY-NC-2.0, CC-BY-NC-2.5, CC-BY-NC-3.0, CC-BY-NC-3.0-DE, CC-BY-NC-4.0, CC-BY-NC-ND-1.0, CC-BY-NC-ND-2.0, CC-BY-NC-ND-2.5, CC-BY-NC-ND-3.0, CC-BY-NC-ND-3.0-DE, CC-BY-NC-ND-3.0-IGO, CC-BY-NC-ND-4.0, CC-BY-NC-SA-1.0, CC-BY-NC-SA-2.0, CC-BY-NC-SA-2.0-DE, CC-BY-NC-SA-2.0-FR, CC-BY-NC-SA-2.0-UK, CC-BY-NC-SA-2.5, CC-BY-NC-SA-3.0, CC-BY-NC-SA-3.0-DE, CC-BY-NC-SA-3.0-IGO, CC-BY-NC-SA-4.0, Commons Clause, Commons-Clause, CPAL-1.0, CPOL-1.02, EUPL-1.0, EUPL-1.1, EUPL-1.2, Facebook-2-Clause, Facebook-3-Clause, Facebook-Examples, SISSL, SISSL-1.2, Watcom-1.0

Restricted

AAL, Abstyles, AdaCore-doc, Adobe-2006, Adobe-Glyph, ADSL, Afmparse, Aladdin, AMDPLPA, AML, ANTLR-PD, ANTLR-PD-fallback, APAFML, APL-1.0, App-s2p, Arphic-1999, Baekmuk, Bahyph, Barr, BCL, Bitstream-Charter, Bitstream-Vera, BitTorrent-1.0, BitTorrent-1.1, blessing, BlueOak-1.0.0, Borceux, Brian-Gladman-3-Clause, BSD-4.3RENO, BSD-4.3TAHOE, BSD-Advertising-Acknowledgement, BSD-Attribution-HPND-disclaimer, BSD-Source-Code, bzip2-1.0.5, bzip2-1.0.6, Caldera, CATOSL-1.1, CC-BY-SA-1.0, CC-BY-SA-2.0, CC-BY-SA-2.0-UK, CC-BY-SA-2.1-JP, CC-BY-SA-2.5, CC-BY-SA-3.0, CC-BY-SA-3.0-AT, CC-BY-SA-3.0-DE, CC-BY-SA-4.0, CC-PDDC, CDL-1.0, CDLA-Permissive-1.0, CDLA-Permissive-2.0, CDLA-Sharing-1.0, CECILL-1.0, CECILL-1.1, CECILL-2.0, CECILL-2.1, CECILL-B, CERN-OHL-P-2.0, CERN-OHL-S-2.0, CERN-OHL-W-2.0, CFITSIO, checkmk, ClArtistic, Clips, CMU-Mach, CNRI-Jython, CNRI-Python, CNRI-Python-GPL-Compatible, COIL-1.0, Community-Spec-1.0, Condor-1.1, copyleft-next-0.3.0, copyleft-next-0.3.1, Cornell-Lossless-JPEG, Crossword, CrystalStacker, Cube, C-UDA-1.0, curl, D-FSL-1.0, diffmark, DL-DE-BY-2.0, DOC, Dotseqn, DRL-1.0, DSDP, dvipdfm, eCos-2.0, eGenix, Elastic-2.0, EPICS, ErlPL-1.1, etalab-2.0, Eurosym, FDK-AAC, FreeBSD-DOC, FSFAP, FSFUL, FSFULLR, FSFULLRWD, GD, GFDL-1.1, GFDL-1.1-invariants-only, GFDL-1.1-invariants-or-later, GFDL-1.1-no-invariants-only, GFDL-1.1-no-invariants-or-later, GFDL-1.1-only, GFDL-1.1-or-later, GFDL-1.2, GFDL-1.2-invariants-only, GFDL-1.2-invariants-or-later, GFDL-1.2-no-invariants-only, GFDL-1.2-no-invariants-or-later, GFDL-1.2-only, GFDL-1.2-or-later, GFDL-1.3, GFDL-1.3-invariants-only, GFDL-1.3-invariants-or-later, GFDL-1.3-no-invariants-only, GFDL-1.3-no-invariants-or-later, GFDL-1.3-only, GFDL-1.3-or-later, Giftware, GL2PS, Glide, Glulxe, GLWTPL, gnuplot, GPL-1.0, GPL-1.0+, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0, GPL-2.0+, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0-with-autoconf-exception, GPL-2.0-with-bison-exception, GPL-2.0-with-classpath-exception, GPL-2.0-with-font-exception, GPL-2.0-with-GCC-exception, GPL-3.0, GPL-3.0+, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0-with-autoconf-exception, GPL-3.0-with-GCC-exception, Graphics-Gems, gSOAP-1.3b, HaskellReport, Hippocratic-2.1, HP-1986, HPND-export-US, HPND-Markus-Kuhn, HPND-sell-variant, HPND-sell-variant-MIT-disclaimer, HTMLTIDY, IBM-pibs, ICU, IEC-Code-Components-EULA, IJG, IJG-short, iMatix, Imlib2, Info-ZIP, Intel-ACPI, Interbase-1.0, JasPer-2.0, JPL-image, JPNIC, JSON, Kazlib, Knuth-CTAN, LAL-1.2, LAL-1.3, Leptonica, LGPL-2.0, LGPL-2.0+, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1, LGPL-2.1+, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0, LGPL-3.0+, LGPL-3.0-only, LGPL-3.0-or-later, LGPLLR, libpng-2.0, libselinux-1.0, libtiff, libutil-David-Nugent, Linux-man-pages-copyleft, LOOP, LPPL-1.0, LPPL-1.1, LPPL-1.2, LPPL-1.3a, LPPL-1.3c, LZMA-SDK-9.11-to-9.20, LZMA-SDK-9.22, MakeIndex, Martin-Birgmeier, Minpack, mpich2, mpi-permissive, mplus, MS-LPL, MTLL, MulanPSL-1.0, Mup, NAIST-2003, NBPL-1.0, NCGL-UK-2.0, NetCDF, Net-SNMP, Newsletr, NGPL, NICTA-1.0, NIST-PD, NIST-PD-fallback, NLOD-1.0, NLOD-2.0, NLPL, NOSL, Noweb, NPL-1.0, NPL-1.1, NRL, NTP, NTP-0, Nunit, OCCT-PL, ODbL-1.0, ODC-By-1.0, OFFIS, OFL-1.0, OFL-1.0-no-RFN, OFL-1.0-RFN, OFL-1.1-no-RFN, OFL-1.1-RFN, OGC-1.0, OGDL-Taiwan-1.0, OGL-Canada-2.0, OGL-UK-1.0, OGL-UK-2.0, OGL-UK-3.0, OLDAP-1.1, OLDAP-1.2, OLDAP-1.3, OLDAP-1.4, OLDAP-2.0, OLDAP-2.0.1, OLDAP-2.1, OLDAP-2.2, OLDAP-2.2.1, OLDAP-2.2.2, OLDAP-2.3, OLDAP-2.4, OLDAP-2.5, OLDAP-2.6, OLDAP-2.7, OML, OpenPBS-2.3, OPL-1.0, OPUBL-1.0, OSL-1.0, OSL-1.1, OSL-2.0, OSL-2.1, OSL-3.0, O-UDA-1.0, Parity-6.0.0, Parity-7.0.0, PDDL-1.0, Plexus, PolyForm-Noncommercial-1.0.0, PolyForm-Small-Business-1.0.0, psfrag, psutils, Python License, Qhull, QPL-1.0, QPL-1.0-INRIA-2004, Rdisc, RHeCos-1.1, RSA-MD, Saxpath, SAX-PD, SCEA, SchemeReport, Sendmail, Sendmail-8.23, SHL-0.5, SHL-0.51, Sleepycat, SMLNJ, SMPPL, SNIA, snprintf, Spencer-86, Spencer-94, Spencer-99, SSH-OpenSSH, SSH-short, SSPL-1.0, StandardML-NJ, SugarCRM-1.1.3, SunPro, SWL, Symlinks, TAPR-OHL-1.0, TCL, TCP-wrappers, TMate, TORQUE-1.1, TOSL, TPDL, TPL-1.0, TTWL, TU-Berlin-1.0, TU-Berlin-2.0, UCAR, Vim, VOSTROM, w3m, Wsuipa, wxWindows, Xerox, XFree86-1.1, xinetd, xlock, xpp, XSkat, YPL-1.0, YPL-1.1, Zed, Zimbra-1.3, Zimbra-1.4

Reciprocal

APSL-1.0, APSL-1.1, APSL-1.2, APSL-2.0, CDDL-1.0, CDDL-1.1, CECILL-C, CERN-OHL-1.2, CPL-1.0, CUA-OPL-1.0, EPL-1.0, EPL-2.0, FreeImage, IPL-1.0, MPL-1.0, MPL-1.1, MPL-2.0, MPL-2.0-no-copyleft-exception, MS-RL, Ruby

Exception

CC-BY-ND-1.0, CC-BY-ND-2.0, CC-BY-ND-2.5, CC-BY-ND-3.0, CC-BY-ND-3.0-DE, CC-BY-ND-4.0, CERN-OHL-1.1, Latex2e, OFL-1.1

Notice

AFL-1.1, AFL-1.2, AFL-2.0, AFL-2.1, AFL-3.0, AMPAS, Apache-1.0, Apache-1.1, Apache-2.0, Artistic-1.0, Artistic-1.0-cl8, Artistic-1.0-Perl, Artistic-2.0, ASL-1.0, Beerware, BSD, BSD-1-Clause, BSD-2-Clause, BSD-2-Clause-FreeBSD, BSD-2-Clause-NetBSD, BSD-2-Clause-Patent, BSD-2-Clause-Views, BSD-3-Clause, BSD-3-Clause-Attribution, BSD-3-Clause-Clear, BSD-3-Clause-LBNL, BSD-3-Clause-Modification, BSD-3-Clause-No-Military-License, BSD-3-Clause-No-Nuclear-License, BSD-3-Clause-No-Nuclear-License-2014, BSD-3-Clause-No-Nuclear-Warranty, BSD-3-Clause-Open-MPI, BSD-4-Clause, BSD-4-Clause-Shortened, BSD-4-Clause-UC, BSD-Protection, BSL-1.0, CC-BY-1.0, CC-BY-2.0, CC-BY-2.5, CC-BY-2.5-AU, CC-BY-3.0, CC-BY-3.0-AT, CC-BY-3.0-DE, CC-BY-3.0-IGO, CC-BY-3.0-NL, CC-BY-3.0-US, CC-BY-4.0, ECL-2.0, EDL-1.0, EFL-1.0, EFL-2.0, FTL, HPND, ImageMagick, ISC, ISC License, Libpng, LIL, Lil-1.0, Linux-OpenIB, LPL-1.0, LPL-1.02, MIT, MIT-0, MIT-advertising, MIT-CMU, MIT-enna, MIT-feh, MIT-Modern-Variant, MITNFA, MIT-open-group, MIT-Wu, MS-PL, NCSA, OLDAP-2.8, OpenSSL, PHP-3.0, PHP-3.01, PIL, PostgreSQL, PSF-2.0, Python-2.0, Python-2.0.1, Python-2.0-complete, SGI-B-1.0, SGI-B-1.1, SGI-B-2.0, Unicode-DFS-2015, Unicode-DFS-2016, Unicode-TOU, UPL-1.0, W3C, W3C-19980720, W3C-20150513, WTFPL, X11, X11-distribute-modifications-variant, Xnet, Zend-2.0, Zlib, zlib-acknowledgement, ZPL-1.1, ZPL-2.0, ZPL-2.1

Unencumbered

OBSD, CC0-1.0, Public Domain, Unlicense

Unknown

AG-Grid, amazon-software-lic-for-amazon-dynamodb-lock-client, amCharts-Free, AppOptics-Java-Agent, Aspose-EULA, ASPSecurityKit-Khosla-Tech, bpmn.io, Chilkat-Software, Conviva, DBAD, Dom4J, ECL-1.0, Entessa, EUDatagrid, Facebook-Platform, Fair, Frameworx-1.0, Froala-Editor, FsUnit, Go, H2-Database-1.0, Highsoft, HSQLDB, Image-Components-SDK, Indiana-University-Extreme-Lab-1.2, Intel, IPA, Jam, JTA, LiLiQ-P-1.1, LiLiQ-R-1.1, LiLiQ-Rplus-1.1, LLVM-exception, Microsoft-.NET-Library, Microsoft-.NET-Library-AspNetComponent-EULA, Microsoft-ASP.NET-Model-View-Controller-4-EULA, Microsoft-AspNet-MVC3-Update-EULA, Microsoft-EULA, Microsoft-Lightswitch-Client-Javascript-Runtime, Microsoft-Visual-Studio-Sharepoint-Emulators, Microsoft-Web-WebView2, MirOS, Motosoto, MulanPSL-2.0, Multics, NASA-1.3, Naumen, Neodynamic, Nokia, No-License, NorthwoodsSoftware-EULA, NPOSL-3.0, OCLC-2.0, OGTSL, Oracle-Technology-Network, OSET-PL-2.1, PayPal-SDK, Protobuf, Resizer-Freedom, RPL-1.1, RPL-1.5, RPSL-1.0, RSCPL, SimPL-2.0, SpecFlow-EULA, SPL-1.0, UCL-1.0, UnboundID-LDAP-SDK-Free, Unspecified-Commercial, VSL-1.0

🔡
Google's open source documentation
override the licenses