Introducing pessimistic mode for license whitelist

With VersionEye you can setup very easily a license whitelist. Simply put software licenses on the license whitelist you want/allowed to use in your software project. In the edit mask you get even suggestions via autocomplete. The suggestion are from the SPDX license list.


The coole thing here is that VersionEye is doing the normalisation for the licenses. Even if there is no exact match VersionEye will recognise the licenses in your project and will be able to assign the rules.

Some software libraries have more than 1 license. Some have a dual license and some software libraries offer even 3 licenses. Assume you are using a software library which has 2 licenses. A GPL-2.0 license and a Ruby license. The Ruby license is on your license whitelist, but the GPL-2.0 not. Does this software library violate your license whitelist? Should this dependency counted as violation or not? It depends. By default VersionEye is optimistic and as long the dependency has at least 1 license which is on the license whitelist the dependency doesn’t count as violation.

Here in this example we can see that several rows are marked red. But in the project head we can see that there are only 2 license violations. The libraries kgio and raindrops have both just 1 single license (LGPL-2.1+) and it is not on the license whitelist. This 2 dependencies are violations of the license whitelist. The other dependencies have at least 1 license which is on the license whitelist.

Screen Shot 2015-06-22 at 10.55.45

Now you can configure this behaviour. Now in the detail view of the license whitelist there is a checkbox for “pessimistic mode”.

Screen Shot 2015-06-22 at 11.37.45

If the pessimistic mode is turned on VersionEye will count every dependency which has at least 1 license not on the license whitelist, as a violation of the license whitelist. With pessimistic mode turned on the same project looks like that.

Screen Shot 2015-06-22 at 11.39.08

Instead of 2 violations of the license whitelist we have 4 now. Because 4 unique dependencies have at least 1 license which is not on the license whitelist.

This is a very new feature, please try it out and give feedback. If you are not sure how to use it you should talk to your compliance department.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s