Book a demo

License Policies

License policies identify legal and compliance risks in the open-source and third-party components used by your applications. These policies check the license information in your dependencies and highlight packages that do not meet your organization’s security or compliance standards.

The article describes the policies in this category, configuration options, and the impact of policy violations. For an overview of policies and policy management, see the Policies article.

What is an approved license

There are two license types:

  • Approved: These are licenses that you allow in your organization. The licenses are either part of the OX default, or you added them to the organization's approved list of licenses.

  • Not Approved: The licenses are either not approved as part of the OX default, or you added them to the organization's list of unapproved licenses. When a license is not approved, OX generates a license issue in Active Issues.

IMPORTANT: OX only classifies licenses that are in the Approved list as approved. Licenses that are not in the Approved list are not approved.

View and manage license policies

  1. Open the Policies page and select the SBOM category.

  2. Select a license policy to view the license details.

Unapproved license used by direct dependency in code

Purpose: Detect direct code dependencies that use licenses not approved by the organization.

Business impact: Unapproved licenses can create legal and compliance risk. Certain licenses impose obligations such as source code disclosure or usage restrictions. Non-compliance can result in copyright claims or enforced license terms, as U.S. courts recognize open-source licenses as legally binding.

Item / Setting
Description

Severity (dropdown) ON/OFF (toggle)

Change the severity as needed.

Enable/disable the policy.

Policy text

A description of the implications for using unauthorized licenses for the policy. The description is also available in the tooltip.

Optional features

Activate the checkboxes to enable the feature/s.

Generate issue for library with N/A licenses

When enabled, an issue will be created for libraries that have no licenses.

Ignore Application Business Priority for severity calculation When enabled, the severity of an issue is not affected by the Application Business Priority.

Approved licenses

Click to open and view all approved licenses. Scroll as needed.

The licenses use the standard format SPDX. The list includes the OX default list. Users can add or remove licenses.

OX classifies licenses that are not included in the Approved list a as not approved.

To add a license:

  1. Click Add and type the exact license name in SPDX format.

  2. From the page header, click SAVE.

To remove a license:

  • Click X, then click SAVE.

Unapproved licenses

This section gives visibility of licenses that are not approved.

To add a license:

  1. Click Add and type the exact license name. The name must be in SPDX format.

  2. From the page header, click SAVE.

To move a license to the Approved list:

  1. Delete from the Unapproved list and add to the Approved list.

  2. From the page header, click SAVE.

To remove a license:

  • Click X, then click SAVE.

Unapproved license used by indirect dependency in code

Purpose: Detect transitive (indirect) dependencies that use licenses not approved by the organization.

Business impact: Indirect dependencies with unapproved licenses can introduce hidden legal exposure. These licenses may require source disclosure or impose redistribution limits without direct developer awareness. Failure to address them can lead to copyright infringement or enforced compliance actions.

Item / Setting
Description

Severity (dropdown) ON/OFF (toggle)

Change the severity as needed.

Enable/disable the policy.

Policy text

A description of the implications for using unauthorized licenses for the policy. The description is also available in the tooltip.

Optional features

Activate the checkboxes to enable the feature/s

Generate issue for library with N/A licenses

When enabled, an issue will be created for libraries that have no licenses.

Ignore Application Business Priority for severity calculation When enabled, the severity of an issue is not affected by the Application Business Priority.

Approved licenses

Click to open and view all approved licenses. Scroll as needed.

The licenses use the standard format SPDX. The list includes the OX default list. Users can add or remove licenses.

OX classifies licenses that are not included in the Approved list a as not approved.

To add a license:

  1. Click Add and type the exact license name in SPDX format.

  2. From the page header, click SAVE.

To remove a license:

  • Click X, then click SAVE.

Unapproved licenses

To add a license:

  1. Click Add and type the exact license name. The name must be in SPDX format.

  2. From the page header, click SAVE.

To move a license to the Approved list:

  1. Delete from the Unapproved list and add to the Approved list.

  2. From the page header, click SAVE.

To remove a license:

  • Click X, then click SAVE.

Unapproved license detected by 3rd party security app

Purpose: Detect third-party components flagged by an integrated security tool as using unapproved licenses.

Business Impact: Unapproved licenses can violate internal licensing policies and external legal requirements. They may force code changes, restrict distribution, or trigger contractual disputes. Unresolved violations can result in financial penalties or operational disruption.

Item / Setting
Description

Severity (dropdown) ON/OFF (toggle)

Change the severity as needed.

Enable/disable the policy.

Policy text

A description of the implications for using unauthorized licenses for the policy. The description is also available in the tooltip.

Optional features

Ignore Application Business Priority for severity calculation.

When enabled the severity of an issue will not be affected by the Application Business Priority.

Unapproved license used in forked open source

Purpose: Detect forked open-source components that use licenses not approved by the organization.

Business impact: Forked projects with unapproved licenses can introduce compliance gaps if license terms change or differ from the original source. These issues can lead to legal disputes, mandatory remediation, or restrictions on software use and distribution.

Item / Setting
Description

Severity (dropdown) ON/OFF (toggle)

Change the severity as needed.

Enable/disable the policy.

Policy text

A description of the implications for using unauthorized licenses for the policy. The description is also available in the tooltip.

Optional features

Ignore Application Business Priority for severity calculation.

When enabled, the severity of an issue will not be affected by the Application Business Priority. Approved licenses (SPDX format)

Click Add to add additional licenses (case sensitive). Click X to remove. Save changes. Approved licenses by deployment type

Use the Enabled checkboxes to apply the setting. Click Add to add additional licenses (case sensitive). Click X to remove. Save changes.

View license policy issues

When a license policy detects a nonconformity, OX creates an issue. You can view license-related issues on the Active Issues and SBOM pages.

To view license issues on the Issues page:

  • Open the Active Issues page and select the relevant Unapproved license option from the Policy filter.

To view license issues in SBOM:

  • Open the SBOM page and select Unapproved Licenses in the Issues filter to view libraries with violations.

When you change a policy’s severity, ON/OFF toggle or any other setting, you must save the current profile or create a new one.

  • To save the current profile, click SAVE in the page header.

  • To create a new profile, click SAVE AS in the page header. For instructions, see the section Create or edit policy profiles in the Policies article.

Last updated