Default License Whitelist

In VersionEye it’s very easy to setup a license whitelist. A license whitelist describes licenses which are allowed in your organisation. You can even have multiple license whitelists per organisation. That way different projects can have different license whitelists. That makes totally sense because licenses have different obligations. Some licenses can be used in a cloud environment but not for mobile apps.

However, most people don’t know much about software licenses. They simply don’t know what to put on a license whitelist and what not. That’s why VersionEye has a default license whitelist now. It contains a small set of software licenses which can be used in any environment. The default license whitelist currently contains this licenses:

  • Apache-1.0
  • Apache-1.1
  • Apache-2.0
  • BSD
  • BSD-2-Clause
  • BSD-3-Clause
  • BSD-4-Clause
  • BSD-4-Clause-UC
  • CC0
  • CC0-1.0
  • ISC
  • MIT
  • Public Domain
  • WTFPL

This license whitelist has always the name “default_lwl” and for newly created organisations it’s marked as default license whitelist. That means it gets assigned to all new created projects and all the project dependencies are compared against that whitelist.

Screen Shot 2017-06-12 at 19.10.11

Of course you can edit the “default_lwl” any time. You can remove licenses from it and you can add new licenses to it any time. It’s just a suggestion to start with.

Let us know how this works out for you.

Improved license recognition

VersionEye is monitoring now more than 1.2 Million open source projects and collecting all kind of meta information to this projects. One kind of the meta information is the corresponding license. Currently the VersionEye database contains licenses to more than 8 Million artefacts.

However, sometimes the maintainers of a project didn’t provide the license information that way that it’s easy to read and recognise for machines. That is specially the case for Python and the .NET platform. Take for example the gpkit Python library. In the license field they provided the full license text, not just the license name.

python-gpkit-00

That doesn’t match very well with the license whitelist in VersionEye 😉 That’s why we improved it now!

All together we have 11335 Python licenses like that in our database and they belong to 1989 unique projects on PIP. Our new license crawler could match 9933 licenses to SPDX identifiers. That are 1799 unique projects on PIP we could assign a SPDX identifier to, which didn’t had one before. For more than 90% of this projects we could recognise and identify an SPDX identifier. And now the same library on VersionEye looks like that:

python-gpkit-01

You see clear that it’s MIT license and now this works well together with our license whitelist 🙂

In Nuget, the package manager for the .NET platform, many license names look like this.

csharp-00.png

“Nuget unknown”. That is the case if the maintainers provided a license link but didn’t provide a license name. Our new license crawler is now following this links and with machine learning it tries to identify a known license. If the similarity to a known license text is higher that 90% we assign the corresponding SPDX identifier to the software library in our database. And now the same package looks like this and you can see immediately that it’s the MIT license!

csharp-01.png

That also helps to use these packages together with our license whitelist. For the .NET packages our recognition system was not quiet as good as for Python. For .NET we could only identify 65% of the licenses of packages with a link but without a license name. Stil not bad and much better than before 😉

This are just the first results. Of course this is also work in progress and the recognition will become better in future.

Your feedback is very welcome.

Suggest new licenses

VersionEye is monitoring now more than 1.2 Million open source projects and collecting all kind of meta information to this projects. One kind of the meta information is the corresponding license. Currently the VersionEye database contains licenses to more than 8 Million artefacts.

However, it is not always possible to fetch the license automatically. Sometimes things go wrong and sometimes the license is not available through a repository API. Sometimes human interaction is required to find the license for an artefact. Now everybody from the VersionEye community can suggest a license to an artefact. If you are on a VersionEye product page with an unknown license you will see a new “Suggest a license” link now.

screen-shot-2017-01-18-at-19-59-14

By clicking on the link you will come to a new page where you can suggest a license for the corresponding artefact and the form is already pre filled for you.

screen-shot-2017-01-18-at-20-01-36

By submitting the form above the VersionEye team will receive an email notification with the new license suggestion. After the submission was reviewed and approved the license will show up on the page.

I hope that many of you will use this new feature! 🙂

License Whitelist

How do you ensure the license policy of your company in your projects? You don’t? VersionEye is here to help you.

We just released a new feature, the “License Whitelists“. The idea behind this feature is that you put Licenses on a Whitelist and VersionEye notifies you as soon there is a software component in your project which violates your Whitelist.

Just navigate to one of your projects on VersionEye, to the License Tab. Above the License table you will notice a new list. Here you can assign a License Whitelist to your project.

01-license-whitelist

By default there is no License Check and if you see this the first time you have anyway no License Whitelist. You can click the “Manage Whitelists” button to create a new License Whitelist for your account.

02-license-whitelist

You can create as many License Whitelists as you want. By clicking on a License Whitelist you can add/remove Licenses to it.

03-license-whitelist

The autocomplete function suggests you Licenses out of the over 300 SPDX Licenses. If you are done with creating your License Whitelist, navigate back to your project, to the License Tab and select the Whitelist which you would like to enforce in your project. After clicking the save button, the page will reload and you will see something like this.

04-license-whitelist

Software components whose Licenses are on the selected License Whitelist are marked green. Components whose Licenses are not on the License Whitelist are marked red.

Now VersionEye sends you email notifications about License Whitelist violations in your project. By default once a week, but you can even change it to once a day.

This is specially useful if you work in a team. Software Developers don’t care so much about Licenses, they care much more about features. They can pull in new software components every day and without a tool you even don’t know if they use a component with a “bad” software license. With VersionEye you get notified about License violations and you can react very quickly. If you choose so, you get email notifications every day. The email would look like this.

05-license-whitelist

If there is no violation of the License Whitelist, you don’t get the email. If you don’t hear anything from VersionEye then everything is good 😉

License Normalization

There are different ways to write a License name. Some developers are writing “Apache 2”, some write “The Apache 2.0” and somebody else might write “The Apache License 2.0”. VersionEye is doing a lot of normalization in the background and recognizes all these different written license names as “Apache License 2.0”. And VersionEye always shows you the normalized name in the Web Interface.