scale-balancedLicenses

License management ensures your organization understands, tracks, and governs the open-source and proprietary licenses present in your software supply chain. Interlynk extracts license data from SBOMs, maps it to the SPDX license standard, and provides organization-wide license inventory, approval workflows, and obligation tracking.


Overview

Every component in an SBOM may declare one or more licenses using SPDX license expressionsarrow-up-right. The platform aggregates license data across all Products and Environments into an organization-wide inventory, enabling centralized governance.

Key capabilities:

  • SBOM-level license review — view and edit licenses for all components in a Version.

  • Organization-level license inventory — centralized view of all licenses across all Products.

  • License approval workflow — approve, reject, or flag licenses for organizational use.

  • License obligations — track compliance obligations associated with each license.

  • Custom licenses — define and manage licenses not in the SPDX standard catalog.

  • Policy enforcement — create policies that trigger on specific licenses or license types.

Architecture

SBOM Upload
  └── Component Extraction
        └── License Expression Parsing
              ├── SPDX License Matching
              │     └── Organization License Record
              │           ├── Approval Status
              │           ├── Obligations
              │           └── Custom Attributes
              └── Custom License Matching
                    └── Organization Custom License Record

Organization License Inventory
  ├── All licenses across all Products
  ├── Approval status (Approved, Rejected, Unreviewed)
  ├── Obligation tracking
  └── Policy evaluation

SBOM-Level License Review

Viewing Component Licenses

  1. Navigate to the Product and select a Version.

  2. Click the Licenses tab.

  3. The license list displays each component with its license expression, approval status, and obligation summary.

License Expression Interpretation

Components may declare licenses using SPDX expressions:

Expression Type
Example
Meaning

Single license

Apache-2.0

Component is licensed under Apache 2.0

OR expression

MIT OR GPL-2.0

Component is available under either license (user chooses)

AND expression

Apache-2.0 AND MIT

Component requires compliance with both licenses

WITH exception

GPL-2.0 WITH Classpath-exception-2.0

License with a specific exception

circle-info

When Interpret License List as "AND" expression is enabled in Environment Settings, multi-license declarations are treated as requiring all listed licenses (conjunctive). When disabled, they are treated as alternatives (disjunctive).

Editing Component Licenses

  1. Navigate to the Version's Licenses tab.

  2. Select a component.

  3. Update the license expression, name, or URL.

  4. Save.

License edits are recorded in the Version's Change Log.


Organization License Inventory

The organization-level license inventory provides a centralized view of every license encountered across all Products.

Accessing the Inventory

  1. Navigate to the Licenses page in the main navigation.

  2. The inventory displays all licenses with:

Column
Description

License Name

SPDX identifier or custom name

Type

SPDX standard or Custom

Approval Status

Approved, Rejected, or Unreviewed

Products

Number of Products using this license

Components

Number of components using this license

Adding a License

  1. Navigate to the Licenses page.

  2. Click + (Add License).

  3. Enter:

    • License Name (required)

    • License Text (optional) — full license text for reference

    • Attribution details (optional) — required attribution notices

    • Approval Status — Approved, Rejected, or Unreviewed

  4. Click Save.

Editing a License

  1. Navigate to the Licenses page.

  2. Click ... (Actions) on the license row and select Edit License.

  3. Update the license details.

  4. Click Update.


License Approval Workflow

The approval workflow enables organizations to govern which licenses are acceptable in their software supply chain.

Approval Statuses

Status
Description
Impact

Approved

License is cleared for use in the organization

No policy violations triggered

Rejected

License is not acceptable for organizational use

Policy rules targeting rejected licenses will trigger violations

Unreviewed

License has not been evaluated yet

Identified for review; may trigger policy warnings

Setting Approval Status

  1. Navigate to the Licenses page.

  2. Click ... (Edit License) on the license row.

  3. Set the Approval Status.

  4. Click Update.

Bulk License Review

For organizations with many licenses, prioritize review by:

  1. Sort by Components (descending) to address the most widely-used licenses first.

  2. Filter by Unreviewed status to focus on licenses that need attention.

  3. Group by license family (e.g., all GPL variants, all Apache variants).


License Obligations

Obligations track the compliance requirements associated with each license.

Common Obligation Types

Obligation
Affected Licenses
Requirement

Attribution

MIT, BSD, Apache-2.0

Include copyright notice and license text

Source disclosure

GPL-2.0, GPL-3.0, LGPL

Make source code available

Copyleft

GPL-2.0, GPL-3.0

Derivative works must use the same license

Patent grant

Apache-2.0

License includes a patent grant

Network copyleft

AGPL-3.0

Source must be available for network users

Tracking Obligations

Obligations are associated with licenses in the organization inventory. When viewing a Version's Licenses tab, obligation indicators show which components carry specific compliance requirements.


Custom Licenses

For licenses not in the SPDX standard catalog, create custom license records:

  1. Navigate to the Licenses page.

  2. Click + (Add License).

  3. Enter the custom license details:

    • License Name — a unique identifier for the custom license

    • License Text — the full license text

    • Attribution details — any required notices

    • Approval Status — your organization's assessment

  4. Click Save.

Custom licenses appear alongside SPDX licenses in the inventory and can be referenced in policy rules.


Policy Integration

Licenses can be evaluated by the policy engine. Create policy rules that:

Policy Purpose
Subject
Operator
Value

Block GPL licenses

Component License

IS

GPL-2.0

Require license presence

Component License

EXISTS

Flag rejected licenses

License Approval

IS

Rejected

Block copyleft in proprietary products

Component License

IS

AGPL-3.0

For policy configuration details, see Policies.


Permission Matrix

Permission
Admin
Operator
Viewer

View licenses

Edit licenses

For full permission details, see Role Management.


Security Warnings

circle-exclamation
circle-exclamation
circle-exclamation

Common Misconfigurations

Issue
Symptom
Fix

No licenses reviewed

All licenses show as "Unreviewed"

Prioritize review by component count; start with the most-used licenses

License policy not assigned

License violations not detected

Create license-focused policies and assign them to Product Environments

AND/OR interpretation mismatch

Compliance evaluation does not match legal interpretation

Verify the "Interpret License List as AND expression" setting in Environment Settings

Custom license not created

Components show unknown license status

Add the custom license to the organization inventory

SBOM missing license data

Components show no license information

Improve SBOM generation tooling to extract license expressions

Rejected license not flagged

Products ship with rejected licenses

Create a policy rule that triggers on rejected licenses


  • Review and approve all licenses in your organization inventory. Unreviewed licenses represent unknown legal risk.

  • Create a license policy that blocks rejected licenses from being used in production builds.

  • Start with a permissive approach. Approve well-known permissive licenses (MIT, Apache-2.0, BSD) first, then evaluate copyleft and restrictive licenses individually.

  • Document approval rationale. Record why each license was approved or rejected for future reference and audit evidence.

  • Monitor for new licenses. Periodically check the inventory for newly encountered licenses that need review.

  • Use SPDX expressions consistently. Standardize on SPDX identifiers for license expressions in your SBOM generation tools.

  • Track obligations per license. Ensure your engineering and legal teams understand the compliance requirements of approved licenses.

  • Configure the AND/OR interpretation setting based on legal guidance for your organization's products.

  • Include license data in SBOM exports for distribution to customers and regulators.

Last updated