> For the complete documentation index, see [llms.txt](https://docs.interlynk.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.interlynk.io/product-guides/security-and-compliance/licenses.md). # Licenses License management ensures your organization understands, tracks, and governs the open-source and proprietary licenses present in your software supply chain. Interlynk extracts license data from SBOMs, maps it to the SPDX license standard, and provides organization-wide license inventory, approval workflows, and obligation tracking. *** ## Overview Every component in an SBOM may declare one or more licenses using [SPDX license expressions](https://spdx.github.io/spdx-spec/v3.0.1/annexes/spdx-license-expressions/). The platform aggregates license data across all Products and Environments into an organization-wide inventory, enabling centralized governance. Key capabilities: * **SBOM-level license review** — view and edit licenses for all components in a Version. * **Organization-level license inventory** — centralized view of all licenses across all Products. * **License approval workflow** — approve, reject, or flag licenses for organizational use. * **License obligations** — track compliance obligations associated with each license. * **Custom licenses** — define and manage licenses not in the SPDX standard catalog. * **Policy enforcement** — create policies that trigger on specific licenses or license types. ## Architecture ``` SBOM Upload └── Component Extraction └── License Expression Parsing ├── SPDX License Matching │ └── Organization License Record │ ├── Approval Status │ ├── Obligations │ └── Custom Attributes └── Custom License Matching └── Organization Custom License Record Organization License Inventory ├── All licenses across all Products ├── Approval status (Approved, Rejected, Unreviewed) ├── Obligation tracking └── Policy evaluation ``` *** ## SBOM-Level License Review ### Viewing Component Licenses 1. Navigate to the Product and select a Version. 2. Click the **Licenses** tab. 3. The license list displays each component with its license expression, approval status, and obligation summary. ### License Expression Interpretation Components may declare licenses using SPDX expressions: | Expression Type | Example | Meaning | | ------------------ | -------------------------------------- | ---------------------------------------------------------- | | **Single license** | `Apache-2.0` | Component is licensed under Apache 2.0 | | **OR expression** | `MIT OR GPL-2.0` | Component is available under either license (user chooses) | | **AND expression** | `Apache-2.0 AND MIT` | Component requires compliance with both licenses | | **WITH exception** | `GPL-2.0 WITH Classpath-exception-2.0` | License with a specific exception | {% hint style="info" %} When **Interpret License List as "AND" expression** is enabled in Environment Settings, multi-license declarations are treated as requiring all listed licenses (conjunctive). When disabled, they are treated as alternatives (disjunctive). {% endhint %} ### Editing Component Licenses 1. Navigate to the Version's **Licenses** tab. 2. Select a component. 3. Update the license expression, name, or URL. 4. Save. License edits are recorded in the Version's Change Log. *** ## Organization License Inventory The organization-level license inventory provides a centralized view of every license encountered across all Products. ### Accessing the Inventory 1. Navigate to the **Licenses** page in the main navigation. 2. The inventory displays all licenses with: | Column | Description | | ------------------- | --------------------------------------- | | **License Name** | SPDX identifier or custom name | | **Type** | SPDX standard or Custom | | **Approval Status** | Approved, Rejected, or Unreviewed | | **Products** | Number of Products using this license | | **Components** | Number of components using this license | ### Adding a License 1. Navigate to the **Licenses** page. 2. Click **+** (Add License). 3. Enter: * **License Name** (required) * **License Text** (optional) — full license text for reference * **Attribution details** (optional) — required attribution notices * **Approval Status** — Approved, Rejected, or Unreviewed 4. Click **Save**. ### Editing a License 1. Navigate to the **Licenses** page. 2. Click **...** (Actions) on the license row and select **Edit License**. 3. Update the license details. 4. Click **Update**. *** ## License Approval Workflow The approval workflow enables organizations to govern which licenses are acceptable in their software supply chain. ### Approval Statuses | Status | Description | Impact | | -------------- | ------------------------------------------------ | ---------------------------------------------------------------- | | **Approved** | License is cleared for use in the organization | No policy violations triggered | | **Rejected** | License is not acceptable for organizational use | Policy rules targeting rejected licenses will trigger violations | | **Unreviewed** | License has not been evaluated yet | Identified for review; may trigger policy warnings | ### Setting Approval Status 1. Navigate to the **Licenses** page. 2. Click **...** (Edit License) on the license row. 3. Set the **Approval Status**. 4. Click **Update**. ### Bulk License Review For organizations with many licenses, prioritize review by: 1. Sort by **Components** (descending) to address the most widely-used licenses first. 2. Filter by **Unreviewed** status to focus on licenses that need attention. 3. Group by license family (e.g., all GPL variants, all Apache variants). *** ## License Obligations Obligations track the compliance requirements associated with each license. ### Common Obligation Types | Obligation | Affected Licenses | Requirement | | --------------------- | ---------------------- | ------------------------------------------ | | **Attribution** | MIT, BSD, Apache-2.0 | Include copyright notice and license text | | **Source disclosure** | GPL-2.0, GPL-3.0, LGPL | Make source code available | | **Copyleft** | GPL-2.0, GPL-3.0 | Derivative works must use the same license | | **Patent grant** | Apache-2.0 | License includes a patent grant | | **Network copyleft** | AGPL-3.0 | Source must be available for network users | ### Tracking Obligations Obligations are associated with licenses in the organization inventory. When viewing a Version's Licenses tab, obligation indicators show which components carry specific compliance requirements. *** ## Custom Licenses For licenses not in the SPDX standard catalog, create custom license records: 1. Navigate to the **Licenses** page. 2. Click **+** (Add License). 3. Enter the custom license details: * **License Name** — a unique identifier for the custom license * **License Text** — the full license text * **Attribution details** — any required notices * **Approval Status** — your organization's assessment 4. Click **Save**. Custom licenses appear alongside SPDX licenses in the inventory and can be referenced in policy rules. *** ## Policy Integration Licenses can be evaluated by the policy engine. Create policy rules that: | Policy Purpose | Subject | Operator | Value | | -------------------------------------- | ----------------- | -------- | -------- | | Block GPL licenses | Component License | IS | GPL-2.0 | | Require license presence | Component License | EXISTS | — | | Flag rejected licenses | License Approval | IS | Rejected | | Block copyleft in proprietary products | Component License | IS | AGPL-3.0 | For policy configuration details, see [Policies](/product-guides/security-and-compliance/policies.md). *** ## Permission Matrix | Permission | Admin | Operator | Viewer | | ------------- | :---: | :------: | :----: | | View licenses | ✓ | ✓ | ✓ | | Edit licenses | ✓ | ✓ | — | For full permission details, see [Role Management](/administration/role-management.md). *** ## Security Warnings {% hint style="warning" %} **Copyleft licenses (GPL, AGPL) may require source code disclosure.** Components using these licenses in proprietary products can create legal obligations. Review and approve licenses before deploying software containing copyleft-licensed components. {% endhint %} {% hint style="warning" %} **Missing license data creates compliance blind spots.** Components without license expressions cannot be evaluated for license compliance. Ensure SBOM generation tools extract license information for all components. {% endhint %} {% hint style="warning" %} **License expression interpretation affects compliance evaluation.** Verify that the "Interpret License List as AND expression" setting matches your organization's interpretation of multi-license declarations. {% endhint %} *** ## Common Misconfigurations | Issue | Symptom | Fix | | ------------------------------ | --------------------------------------------------------- | ------------------------------------------------------------------------------------- | | No licenses reviewed | All licenses show as "Unreviewed" | Prioritize review by component count; start with the most-used licenses | | License policy not assigned | License violations not detected | Create license-focused policies and assign them to Product Environments | | AND/OR interpretation mismatch | Compliance evaluation does not match legal interpretation | Verify the "Interpret License List as AND expression" setting in Environment Settings | | Custom license not created | Components show unknown license status | Add the custom license to the organization inventory | | SBOM missing license data | Components show no license information | Improve SBOM generation tooling to extract license expressions | | Rejected license not flagged | Products ship with rejected licenses | Create a policy rule that triggers on rejected licenses | *** ## Recommended Best Practices * **Review and approve all licenses** in your organization inventory. Unreviewed licenses represent unknown legal risk. * **Create a license policy** that blocks rejected licenses from being used in production builds. * **Start with a permissive approach.** Approve well-known permissive licenses (MIT, Apache-2.0, BSD) first, then evaluate copyleft and restrictive licenses individually. * **Document approval rationale.** Record why each license was approved or rejected for future reference and audit evidence. * **Monitor for new licenses.** Periodically check the inventory for newly encountered licenses that need review. * **Use SPDX expressions consistently.** Standardize on SPDX identifiers for license expressions in your SBOM generation tools. * **Track obligations per license.** Ensure your engineering and legal teams understand the compliance requirements of approved licenses. * **Configure the AND/OR interpretation setting** based on legal guidance for your organization's products. * **Include license data in SBOM exports** for distribution to customers and regulators. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.interlynk.io/product-guides/security-and-compliance/licenses.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.