Legal and Compliance Workflows

Note: Changes to licenses, copyrights, or notices apply at the organization level, i.e., the new license/copyright/notice will show up on the library in every project/application in which it exists.

Overview

As a Legal Compliance Manager, you may want to easily identify applications and projects with the most critical licensing risks and investigate areas where licenses are unidentified, to ensure the organization’s compliance with licensing requirements efficiently and effectively.

Notable Features

1. SBOM/Attribution Side Panel
   A side panel for SBOM and attribution data allows users to view and navigate detailed legal and compliance information efficiently.

2. License Side Panel
   A dedicated side panel for license-related details to improve accessibility and clarity.

3. Comments
   Users can add, view, and manage comments within the legal workflow, ensuring efficient collaboration and tracking.

Getting it done

The Legal section is available on the left-pane menu in the context of an Application or a Project:

Three pages are available to you within the Legal section:

1. OS Inventory - SBOM and Attribution data.

2. Proprietary - Proprietary licenses only.

3. Commercial - Commercial licenses only.

The OS Inventory Table

The OS Inventory table provides a comprehensive view of libraries and their associated licenses, copyrights, and dependencies, for efficient management of the open-source inventory.

OS Inventory Columns

1. Library – Displays the library name. Note that if a library has multiple licenses, they will be grouped together and displayed in the relevant line under the Licenses column.

2. Project – Displays the project name when viewed at the application level.

3. Violations - Displays the number of violations related to the library in question.

4. License Risk – Displays the license risk icon, reflecting the risk category (Low, Medium, High, Unknown, Requires Review) and score.

5. Licenses – Displays associated licenses.

6. Direct Libraries – Displays the number of direct libraries associated with this library.
   Hovering over the value will spawn a tooltip displaying the names of direct libraries and including a link to open the side panel on the Impact Analysis tab.

   1. If the library is direct only, it will be denoted using -.

   2. If the library is both direct and transitive, its name will be displayed (again) in the tooltip.

7. Copyrights – Displays available copyrights, with an override option.

8. Notices – Displays available notices, with an override option.

9. Language – Displays the programming language of the library.

10. Dependency – Displays the dependency type (Direct, Transitive, Direct/Transitive).

11. Author - Displays the library’s author’s name. Hidden by default.

12. Library Location - Displays the library location path. Hidden by default.
    When multiple locations exist, one is displayed in the table while the rest are displayed in the tooltip.

OS Inventory Actions

1. Multi-Select – Allows users to select multiple libraries using checkboxes.

2. Assign Licenses – Clicking this action opens the side panel on the License tab.

3. Assign Copyrights – Clicking this action opens the side panel on the Copyrights tab.

4. Mark as Proprietary – Not available as a bulk action.

5. Mark as Commercial – Not available as a bulk action.

6. Create Report - Clicking the Create Report button () at the far right allows you to generate both Dependencies Attribution and Dependencies SBOM reports from this page.
   

   

7. Export to CSV - Clicking the Export to CSV button () will export the data to a .CSV file. Note that copyrights and notices are exported as text.