License management is an early use case for SBOM, helping organizations with large and complex software portfolios track the licenses and terms of their diverse software components, especially for open-source software. SBOM can convey data about the licenses for each component. This data can also allow the consumer to know if the software can be used as a component of another application without creating legal risk.
License information for components included in software can be checked to prevent negligence in compliance, thus reducing the risk of license violations and the workloads required for license management. Following practices streamlines license management processes and helps mitigate risks associated with non-compliance.
a) Consumer should be able to view the licenses of all individual components within a Product being evaluated, alongside the Product's own license. This provides the user with better insight when selecting a product and determining the suitable license arrangement for their business requirements or application
b) Identify each software license using an identifier (e.g. SPDX identifier). These identifiers, along with expressions, serve as unique codes that represent specific license terms and conditions. By leveraging these identifiers, organizations should efficiently manage and understand the licensing obligations associated with their software assets.
c) An alternative license database should be considered, if the license identifiers cannot be found in the primary one, such as the Scancode LicenseDB AboutCode. These alternative identifiers should be prefixed (e.g. "LicenseRef-scancode-") to indicate their origin, thus facilitating mapping and understanding.
d) When encountering licenses that are not recognized by established lists like SPDX, organizations should assign a unique identifier. This ensures proper identification and tracking of unknown licenses within their systems.
e) When modifying licenses with placeholders or templates, it is recommended to ensure that these changes don't alter the fundamental terms of the license. Instead, they should be considered part of the original license identified by its unique identifier, like those provided by SPDX License Expressions. This helps maintain clarity and consistency in license management practices.
f) When dealing with multiple licenses for software, it is important to use operators (e.g. SPDX operators) to combine them correctly. These operators help link different license identifiers together, ensuring clarity and consistency in license expressions. This ensures that the resulting license expressions accurately represent the licensing terms applicable to the software.
g) When managing licenses, any exception clauses attached to a license text should be linked to the main license identifier using appropriate operators such as "WITH” for SPDX operators. Additionally, the exception clause names should be described with identifiers following the established requirements for license identification.
h) When making slight changes to a license text, if the modifications do not significantly alter the meaning of the original license, it is recommended to use the same identifier as the original license.
Tags:
License-Management-SBOM