License Compliance in Software Composition Analysis (SCA)
Table of Contents
License Compliance in Software Composition Analysis (SCA)
Open source software licenses define how you can use, modify and distribute the open source software. Thus, when selecting an open source package to merge to your code it is imperative to understand the types of licenses and the user restrictions the package falls under, which helps you mitigate any compliance issues.
On Prisma Cloud, licenses are scanned in parallel to the vulnerability scan for open source packages to understand usage restrictions. For every package license restrictions are defined either at the root package (direct dependent package) or sub-dependent package.
In addition, Prisma Cloud supports an OOTB (Out-Of-The-Box) license policy (for example, BC_LIC_1) where all SPDX licenses with OSI approval are considered compliant during the scan. If a violation occurs with an unknown license, private license or the license is not a part of the approved list, then a different policy is created to monitor it (for example, BC_LIC_2).
On the console you can suppress license violations or manually fix them by choosing another, compliant package.
Review license compliance violations
License violations for SCA scans are reviewed on
Projects
. You can also view the violations on DevOps including integrations of IDEs, VCS or CI/CD runs with Checkov.- IntegrationsYou can view license compliance scan results for packages in your VCS repositories or IDE. In this example, you see the VS Code displaying licensing compliance violations in the terminal.
- CheckovDuring your code development you can identify license compliance violations by running a Checkov scan CLI. For each CLI run, you see information on license violations with the package name, package version, policy ID, license type and status of the violation.In this example, you see the scan result of a Checkov CLI run for an SCA scan with information on licensing violations.
- ProjectsSimilar to the scan results of SCA package vulnerabilities, license violations are also contextualized and monitored on the Prisma Cloud console fromApplication Security > Projects. Here each policy violation is a single error including license compliance violations in sub-dependent packages.In this example, you see the scan result of a license violation with contextualized information of the vulnerability inResource Explorer > Errors.
In this example, you see the scan result of a license sub-dependent violation with contextualized information inResource Explorer > Detailswhere you can also see the list of direct dependencies.
Suppress license compliance violations
An SCA scan policy violation can be suppressed on the console from
Projects
. Suppressing a policy absolves the next scan from identifying it through a suppression rule that must include a definitive explanation indicating why the violation is not problematic.
In every suppression rule, you are required to specify the Suppression Type and Licenses Type that will have an impact on this rule.Suppression types are of two kinds:
- Suppress by license types: Here you define the violation to be absolved based on the specific license.
- Suppress by package: Here you suppress any license violations for the specified package.
- AccessApplication Security > Projectsand then selectCategory-Licenses.
- Access a specific license vulnerability to suppress.
- Add a suppression rule.
- SelectSuppress.
- Add a justification as a definitive explanation for suppressing the specific vulnerability.
You can optionally add anExpiration Datefor the suppression and then selectApply.
- SelectSuppression Type.You can choose to suppress a policy violation from:
- Suppress by license types: This option ensures you define the vulnerability to be absolved based on the specific license.
- Suppression is by package: This option ensures you define the vulnerability to be absolved across a package.
- SelectSaveto save the suppression rule.
- SelectSubmitto enable suppression.
