: License Compliance in Software Composition Analysis (SCA)

License Compliance in Software Composition Analysis (SCA)

Table of Contents

License Compliance in Software Composition Analysis (SCA)

Open source software licenses define how you can use, modify and distribute the open source software. Thus, when selecting an open source package to merge to your code it is imperative to understand the types of licenses and the user restrictions the package falls under, which helps you mitigate any compliance issues. On Prisma Cloud, licenses are scanned in parallel to the vulnerability scan for open source packages to understand usage restrictions. For every package license restrictions are defined either at the root package (direct dependent package) or sub-dependent package. In addition, Prisma Cloud supports an OOTB (Out-Of-The-Box) license policy (for example, BC_LIC_1) where all SPDX licenses with OSI approval are considered compliant during the scan. If a violation occurs with an unknown license, private license or the license is not a part of the approved list, then a different policy is created to monitor it (for example, BC_LIC_2). On the console you can suppress license violations or manually fix them by choosing another, compliant package.

Review license compliance violations

License violations for SCA scans are reviewed on
. You can also view the violations on DevOps including integrations of IDEs, VCS or CI/CD runs with Checkov.
  • Integrations
    You can view license compliance scan results for packages in your VCS repositories or IDE. In this example, you see the VS Code displaying licensing compliance violations in the terminal.
  • Checkov
    During your code development you can identify license compliance violations by running a Checkov scan CLI. For each CLI run, you see information on license violations with the package name, package version, policy ID, license type and status of the violation.
    In this example, you see the scan result of a Checkov CLI run for an SCA scan with information on licensing violations.
  • Projects
    Similar to the scan results of SCA package vulnerabilities, license violations are also contextualized and monitored on the Prisma Cloud console from
    Application Security > Projects
    . Here each policy violation is a single error including license compliance violations in sub-dependent packages.
    In this example, you see the scan result of a license violation with contextualized information of the vulnerability in
    Resource Explorer > Errors
    In this example, you see the scan result of a license sub-dependent violation with contextualized information in
    Resource Explorer > Details
    where you can also see the list of direct dependencies.

Suppress license compliance violations

An SCA scan policy violation can be suppressed on the console from
. Suppressing a policy absolves the next scan from identifying it through a suppression rule that must include a definitive explanation indicating why the violation is not problematic. In every suppression rule, you are required to specify the Suppression Type and Licenses Type that will have an impact on this rule.
Suppression types are of two kinds:
  • Suppress by license types: Here you define the violation to be absolved based on the specific license.
  • Suppress by package: Here you suppress any license violations for the specified package.
  1. Access
    Application Security > Projects
    and then select
  2. Access a specific license vulnerability to suppress.
  3. Add a suppression rule.
    1. Select
    2. Add a justification as a definitive explanation for suppressing the specific vulnerability.
      You can optionally add an
      Expiration Date
      for the suppression and then select
    3. Select
      Suppression Type
      You can choose to suppress a policy violation from:
      • Suppress by license types: This option ensures you define the vulnerability to be absolved based on the specific license.
      • Suppression is by package: This option ensures you define the vulnerability to be absolved across a package.
    4. Select
      License types
      License types are subjective to the open source package, where you can define the suppression only to the identified license.
      In this example, you see the package has two licenses CC-BY-3.0 and CC0-1.0. Select one or both licenses to add to the suppression rule.
    5. Select
      to save the suppression rule.
  4. Select
    to enable suppression.

Recommended For You