Understanding Risk Score Attribution and License Analysis
Overview
This topic describes the information provided on the License Details screen (Risk Score Attribution), and License Analysis.
Risk Score Attribution
License Risk Scores
The following table contains a list of licenses with detailed copyright risk scores as provided by mend
License | Copyright Risk Score |
---|---|
Academic 3.0 | 39 |
AGPL 3.0 | 91 |
Apache 1.0 | 39 |
Apache 1.1 | 39 |
Apache 2.0 | 39 |
Apple 2.0 | 52 |
Artistic 2.0 | 65 |
Attribution Assurance | 39 |
Beerware | 39 |
Boost | 39 |
Bouncy Castle | 39 |
BSD 2 | 39 |
BSD 3 | 39 |
BSD 4 | 39 |
CC BY 1.0 | 39 |
CC BY SA 4.0 | 65 |
CDDL 1.0 | 52 |
CDDL 1.1 | 52 |
CNRI Jython | 39 |
Common Public 1.0 | 52 |
Computer Associates | 65 |
Eclipse 1.0 | 65 |
Eclipse 2.0 | 65 |
EDL 1.0 | 39 |
Educational 2.0 | 39 |
Eiffel Forum 2.0 | 39 |
Entessa | 39 |
EU DataGrid | 39 |
Frameworx 1.0 | 78 |
Golang BSD + Patents | 39 |
GPL 1.0 | 78 |
GPL 2.0 | 78 |
GPL 2.0 Classpath | 65 |
GPL 3.0 | 78 |
Historical Permission | 39 |
IBM | 39 |
Illinois/NCSA | 39 |
ISC | 39 |
LGPL 2.0 | 65 |
LGPL 2.1 | 65 |
LGPL 3.0 | 65 |
Lucent 1.02 | 39 |
Microsoft Public | 65 |
Microsoft Reciprocal | 52 |
MIT | 39 |
Mozilla 1.0 | 65 |
Mozilla 1.1 | 65 |
Mozilla 2.0 | 65 |
NUnit | 39 |
Open LDAP 2.4 | 39 |
OpenSSL | 39 |
PostgreSQL | 39 |
Public Domain | 13 |
Python 2.0 | 39 |
Ruby | 39 |
SIL Open Font 1.1 | 39 |
Unlicense | 13 |
X.Net | 39 |
Zlib | 39 |
Parameter Definitions
This table provides the possible values Mend uses to display Copyleft risk information.
Copyleft | |
Value | Description |
Full | Copyleft on modifications as well as own code that uses the OSS |
Partial | Copyleft applies only to modifications |
No | Not a Copyleft license |
This table describes the Copyright risk scores.
Copyright Risk Score | ||
Value | Description | Associated Risk |
13 | Licensee may use the code without restriction | LOW |
26 | Anyone who distributes the code must retain any attributions included in the original distribution | LOW |
39 | Anyone who distributes the code must provide certain notices, attributions and/or license terms in documentation with the software | LOW |
52 | Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge | LOW |
65 | Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. (example: LGPL) | MEDIUM |
78 | Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification. (example: GPL) | HIGH |
91 | Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero) | HIGH |
This table describes the Patent and Royalty risk scores.
Patent & Royalty Risk Score | ||
Value | Description | Associated Risk |
20 | Royalty-free and no identified patent risks | LOW |
40 | Royalty free unless litigated | LOW |
60 | No patents granted | MEDIUM |
80 | Specific identified patent risks | HIGH |
This table describes the license Linking values.
Linking | |
Value | Description |
Viral | Royalty-free and no identified patent risks |
Non-Viral | Royalty-free unless litigated |
Dynamic | No patents granted |
This table describes the Royalty values.
Royalty Free | |
Value | Description |
Yes | Royalty-free and no identified patent risks |
Conditional | Royalty-free unless litigated |
No | No patents granted |
License Analysis
Risk & Remediation
Each license has been researched in order to determine and provide the following license risk information:
Copyright Risk Score: A measure of the copyright risk.
Licensee may use code without restriction.
Anyone who distributes the code must retain any attributions included in original distribution.
Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software.
Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. (example: LGPL)
Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification. (example: GPL)
Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero)
Patent & Royalty Risk: A measure of the patent and royalty risk.
Royalty-free and no identified patent risks.
Royalty-free unless litigated.
No patents granted.
Specific identified patent risks.
Royalty Free: Some licenses explicitly grant a patent license. Some explicitly say they do not, e.g., ClearBSD. Some condition the license on not being sued by the user, and if sued the license is revoked.
Yes
No
Conditional
Copyleft: This is the main requirement of the GPL license, demanding that derivative work abide by same license of the OSS. LGPL, and several other licenses are also copyleft. This is a somewhat fluid determination but can be used as a general guideline. We indicate that our determination may be incorrect and is given AS IS.
Full: CopyLeft on modifications as well as own code that uses the OSS.
Partial: CopyLeft applies only to modifications.
No: Not a CopyLeft license.
Linking: This is the main addition of LGPL, allowing other programs to use the library through dynamic linking without infringing on the GPL license. Some other licenses allowing linking with them (dynamically or statically).
Viral: Will substantially affect the code linked to this OSS.
Non-viral: Will not affect the licensing of the linking code.
Dynamic: Dynamic linking will not infect.
OSD Compliant: Was the license reviewed and approved by the respective authority.
Open Source Initiative
GNU General Public License
Free Software Foundation
Debian Free Software Guidelines
Fedora Project
NOTE: This information is provided on an as-is basis and should be consulted with a legal advisor.
For example, LGPL 2.1 has the following risk factors:
Requirements
Mend also provides "Required Notices" information for each license in order to indicate what information must be published, specified, retained, notified, etc. along with the license text itself.
For example, the LGPL 2.1 license should be published with the following requirements: