# Licenses

License management ensures your organization understands, tracks, and governs the open-source and proprietary licenses present in your software supply chain. Interlynk extracts license data from SBOMs, maps it to the SPDX license standard, and provides organization-wide license inventory, approval workflows, and obligation tracking.

***

## Overview

Every component in an SBOM may declare one or more licenses using [SPDX license expressions](https://spdx.github.io/spdx-spec/v3.0.1/annexes/spdx-license-expressions/). The platform aggregates license data across all Products and Environments into an organization-wide inventory, enabling centralized governance.

Key capabilities:

* **SBOM-level license review** — view and edit licenses for all components in a Version.
* **Organization-level license inventory** — centralized view of all licenses across all Products.
* **License approval workflow** — approve, reject, or flag licenses for organizational use.
* **License obligations** — track compliance obligations associated with each license.
* **Custom licenses** — define and manage licenses not in the SPDX standard catalog.
* **Policy enforcement** — create policies that trigger on specific licenses or license types.

## Architecture

```
SBOM Upload
  └── Component Extraction
        └── License Expression Parsing
              ├── SPDX License Matching
              │     └── Organization License Record
              │           ├── Approval Status
              │           ├── Obligations
              │           └── Custom Attributes
              └── Custom License Matching
                    └── Organization Custom License Record

Organization License Inventory
  ├── All licenses across all Products
  ├── Approval status (Approved, Rejected, Unreviewed)
  ├── Obligation tracking
  └── Policy evaluation
```

***

## SBOM-Level License Review

### Viewing Component Licenses

1. Navigate to the Product and select a Version.
2. Click the **Licenses** tab.
3. The license list displays each component with its license expression, approval status, and obligation summary.

### License Expression Interpretation

Components may declare licenses using SPDX expressions:

| Expression Type    | Example                                | Meaning                                                    |
| ------------------ | -------------------------------------- | ---------------------------------------------------------- |
| **Single license** | `Apache-2.0`                           | Component is licensed under Apache 2.0                     |
| **OR expression**  | `MIT OR GPL-2.0`                       | Component is available under either license (user chooses) |
| **AND expression** | `Apache-2.0 AND MIT`                   | Component requires compliance with both licenses           |
| **WITH exception** | `GPL-2.0 WITH Classpath-exception-2.0` | License with a specific exception                          |

{% hint style="info" %}
When **Interpret License List as "AND" expression** is enabled in Environment Settings, multi-license declarations are treated as requiring all listed licenses (conjunctive). When disabled, they are treated as alternatives (disjunctive).
{% endhint %}

### Editing Component Licenses

1. Navigate to the Version's **Licenses** tab.
2. Select a component.
3. Update the license expression, name, or URL.
4. Save.

License edits are recorded in the Version's Change Log.

***

## Organization License Inventory

The organization-level license inventory provides a centralized view of every license encountered across all Products.

### Accessing the Inventory

1. Navigate to the **Licenses** page in the main navigation.
2. The inventory displays all licenses with:

| Column              | Description                             |
| ------------------- | --------------------------------------- |
| **License Name**    | SPDX identifier or custom name          |
| **Type**            | SPDX standard or Custom                 |
| **Approval Status** | Approved, Rejected, or Unreviewed       |
| **Products**        | Number of Products using this license   |
| **Components**      | Number of components using this license |

### Adding a License

1. Navigate to the **Licenses** page.
2. Click **+** (Add License).
3. Enter:
   * **License Name** (required)
   * **License Text** (optional) — full license text for reference
   * **Attribution details** (optional) — required attribution notices
   * **Approval Status** — Approved, Rejected, or Unreviewed
4. Click **Save**.

### Editing a License

1. Navigate to the **Licenses** page.
2. Click **...** (Actions) on the license row and select **Edit License**.
3. Update the license details.
4. Click **Update**.

***

## License Approval Workflow

The approval workflow enables organizations to govern which licenses are acceptable in their software supply chain.

### Approval Statuses

| Status         | Description                                      | Impact                                                           |
| -------------- | ------------------------------------------------ | ---------------------------------------------------------------- |
| **Approved**   | License is cleared for use in the organization   | No policy violations triggered                                   |
| **Rejected**   | License is not acceptable for organizational use | Policy rules targeting rejected licenses will trigger violations |
| **Unreviewed** | License has not been evaluated yet               | Identified for review; may trigger policy warnings               |

### Setting Approval Status

1. Navigate to the **Licenses** page.
2. Click **...** (Edit License) on the license row.
3. Set the **Approval Status**.
4. Click **Update**.

### Bulk License Review

For organizations with many licenses, prioritize review by:

1. Sort by **Components** (descending) to address the most widely-used licenses first.
2. Filter by **Unreviewed** status to focus on licenses that need attention.
3. Group by license family (e.g., all GPL variants, all Apache variants).

***

## License Obligations

Obligations track the compliance requirements associated with each license.

### Common Obligation Types

| Obligation            | Affected Licenses      | Requirement                                |
| --------------------- | ---------------------- | ------------------------------------------ |
| **Attribution**       | MIT, BSD, Apache-2.0   | Include copyright notice and license text  |
| **Source disclosure** | GPL-2.0, GPL-3.0, LGPL | Make source code available                 |
| **Copyleft**          | GPL-2.0, GPL-3.0       | Derivative works must use the same license |
| **Patent grant**      | Apache-2.0             | License includes a patent grant            |
| **Network copyleft**  | AGPL-3.0               | Source must be available for network users |

### Tracking Obligations

Obligations are associated with licenses in the organization inventory. When viewing a Version's Licenses tab, obligation indicators show which components carry specific compliance requirements.

***

## Custom Licenses

For licenses not in the SPDX standard catalog, create custom license records:

1. Navigate to the **Licenses** page.
2. Click **+** (Add License).
3. Enter the custom license details:
   * **License Name** — a unique identifier for the custom license
   * **License Text** — the full license text
   * **Attribution details** — any required notices
   * **Approval Status** — your organization's assessment
4. Click **Save**.

Custom licenses appear alongside SPDX licenses in the inventory and can be referenced in policy rules.

***

## Policy Integration

Licenses can be evaluated by the policy engine. Create policy rules that:

| Policy Purpose                         | Subject           | Operator | Value    |
| -------------------------------------- | ----------------- | -------- | -------- |
| Block GPL licenses                     | Component License | IS       | GPL-2.0  |
| Require license presence               | Component License | EXISTS   | —        |
| Flag rejected licenses                 | License Approval  | IS       | Rejected |
| Block copyleft in proprietary products | Component License | IS       | AGPL-3.0 |

For policy configuration details, see [Policies](https://docs.interlynk.io/product-guides/security-and-compliance/policies).

***

## Permission Matrix

| Permission    | Admin | Operator | Viewer |
| ------------- | :---: | :------: | :----: |
| View licenses |   ✓   |     ✓    |    ✓   |
| Edit licenses |   ✓   |     ✓    |    —   |

For full permission details, see [Role Management](https://docs.interlynk.io/administration/role-management).

***

## Security Warnings

{% hint style="warning" %}
**Copyleft licenses (GPL, AGPL) may require source code disclosure.** Components using these licenses in proprietary products can create legal obligations. Review and approve licenses before deploying software containing copyleft-licensed components.
{% endhint %}

{% hint style="warning" %}
**Missing license data creates compliance blind spots.** Components without license expressions cannot be evaluated for license compliance. Ensure SBOM generation tools extract license information for all components.
{% endhint %}

{% hint style="warning" %}
**License expression interpretation affects compliance evaluation.** Verify that the "Interpret License List as AND expression" setting matches your organization's interpretation of multi-license declarations.
{% endhint %}

***

## Common Misconfigurations

| Issue                          | Symptom                                                   | Fix                                                                                   |
| ------------------------------ | --------------------------------------------------------- | ------------------------------------------------------------------------------------- |
| No licenses reviewed           | All licenses show as "Unreviewed"                         | Prioritize review by component count; start with the most-used licenses               |
| License policy not assigned    | License violations not detected                           | Create license-focused policies and assign them to Product Environments               |
| AND/OR interpretation mismatch | Compliance evaluation does not match legal interpretation | Verify the "Interpret License List as AND expression" setting in Environment Settings |
| Custom license not created     | Components show unknown license status                    | Add the custom license to the organization inventory                                  |
| SBOM missing license data      | Components show no license information                    | Improve SBOM generation tooling to extract license expressions                        |
| Rejected license not flagged   | Products ship with rejected licenses                      | Create a policy rule that triggers on rejected licenses                               |

***

## Recommended Best Practices

* **Review and approve all licenses** in your organization inventory. Unreviewed licenses represent unknown legal risk.
* **Create a license policy** that blocks rejected licenses from being used in production builds.
* **Start with a permissive approach.** Approve well-known permissive licenses (MIT, Apache-2.0, BSD) first, then evaluate copyleft and restrictive licenses individually.
* **Document approval rationale.** Record why each license was approved or rejected for future reference and audit evidence.
* **Monitor for new licenses.** Periodically check the inventory for newly encountered licenses that need review.
* **Use SPDX expressions consistently.** Standardize on SPDX identifiers for license expressions in your SBOM generation tools.
* **Track obligations per license.** Ensure your engineering and legal teams understand the compliance requirements of approved licenses.
* **Configure the AND/OR interpretation setting** based on legal guidance for your organization's products.
* **Include license data in SBOM exports** for distribution to customers and regulators.