Mend SCA OSS Licenses FAQ
Disclaimer: Mend does not provide legal guidance. For guidance regarding software licensing and to ensure license compliance, please consult with a qualified legal expert.
Why do some libraries have more than one license?
Libraries can be released under multiple licenses. Some projects offer an alternative license choice (e.g., ‘GPL-2.0-only or Commercial’). In such cases, you may comply with one selected license. Other projects contain multiple files/submodules under different licenses; in those cases, you must comply with each license applicable to the parts you use or distribute. A qualified legal expert should be consulted to evaluate the specifics of the licenses associated with the library.
Why does Mend flag GPL-licensed dependencies used only at design time?
Mend reports all detected dependencies, regardless of design-time vs. runtime. Legal obligations (e.g., copyleft source-code obligations) generally depend on how you use and distribute your software (e.g., shipping binaries, offering AGPL software over a network). Consult legal counsel to determine whether a flagged dependency creates obligations in your specific delivery model (e.g., on-premise distribution vs. SaaS). For additional information on how to exclude dev/test dependencies via CLI/UA config, see Section ‘How can I remove unwanted libraries from the SBOM scan without marking them as in-house’ below
What should I do if no license is listed for a library?
A status of "No License Listed" or "Requires Review" may occur in the following scenarios:
Mend is unable to identify the library.
This may be due to the library being an in-house component or an open-source package that has been modified.
Mend was unable to locate a license when the library was added to our knowledge base.
If the library is in-house:
Mark it as a proprietary or in-house library.
Comments can be added to libraries when manually marking them are proprietary or in-house. This field can be used to mark internal legal reviews notes and have them recorded within the Mend Platform.
If the library is a modified open-source package:
Manually add the original LICENSE/NOTICE files to the library.
Review the original license and ensure compliance.
Important Note: Not all open-source licenses permit modification.
If the library is not-modified:
Investigate the library and manually assign the license.
If the library genuinely lacks a license:
If no open-source license applies, copyright law reserves rights to the author by default; you generally may not use, modify, or distribute the code in your product without explicit permission. It is therefore recommended to treat such components as not permitted unless and until you obtain a license or replace them.
Why does Mend flag licenses for transitive dependencies?
Transitive dependencies can create obligations. Transitive dependencies are still part of your software and are utilized by your application. Application still need to be compliant with the licenses of the transitive libraries.
The scope varies by license family:
Permissive (e.g., MIT/BSD/Apache-2.0): often attribution/NOTICE when distributing.
Weak copyleft (e.g., LGPL/MPL): obligations often relate to modifications of library files and ability to relink/reuse.
Strong copyleft (e.g., GPL): source-availability obligations when distributing combined works.
Network copyleft (e.g., AGPL): source-availability may be required when offering the AGPL program over a network, even without binary distribution.
How can I remove unwanted libraries from the SBOM scan without marking them as in-house?
SBOMs are evidence artifacts; removal should be exceptional. Prefer “exclude from policy enforcement/reporting” where legally appropriate, rather than delete from SBOM.
Marking a library as in-house in the Mend platform does not remove it from the Software Bill of Materials (SBOM); instead, it is marked as "proprietary" in the report. Currently, there is no option in the Mend UI to remove a library from the inventory.
To properly remove unwanted libraries while keeping the SBOM Integrity in place, consider the following approaches:
Use the package manager settings to skip dev scopes.
The Mend CLI and Unified Agent allow for the ability to exclude specific paths (e.g. /test/ /examples/)
By default, the Mend CLI will exclude development dependencies
Prune unused dependencies and stale lock file.