Open-source software licenses define the terms under which open-source software can be used, modified, and distributed. In Cortex Cloud Application Security, licenses are scanned as part of the SCA vulnerability scan for open-source packages. All Critical, High and Medium license miscompliance detected in open-source software packages within an organization's environment are defined as issues. This enables structured vulnerability management and focused remediation. Where applicable, manual and automated fixes are provided.
Cortex Cloud Application Security offers three types of default license categories out of the box, providing comprehensive coverage for managing license compliance within your environment:
Non-Permissive Licenses (High severity)
Strong Copyleft Licenses (High severity)
Weak Copyleft Licenses (Medium severity)
Within each license type, SPDX identifiers are organized and sorted based on their characteristics and attributes. SPDX Identifiers are unique codes assigned to software licenses by the Software Package Data Exchange (SPDX) project. These identifiers are used to categorize and accurately identify software packages distributed under various types of licenses, including strong copyleft, weak copyleft, and non-permissive licenses. By associating each software package with a specific SPDX Identifier, it becomes easier to track and manage license compliance across different licensing policies, ensuring that the correct license type is identified and adhered to.
Non-permissive licenses
Non Permissive licenses policies identify software packages distributed under non-permissive or restrictive licenses. These licenses restrict how you can use, modify, and distribute the software. They may limit your ability to integrate the software into certain projects or require you to purchase a commercial license for specific uses.
Non-permissive SPDX identifiers
The following list displays supported SPDX identifiers for non-permissive licenses.
Strong copyleft licenses
Strong Copyleft licenses policies identify software packages distributed under strong copyleft licenses, such as the GNU General Public License (GPL). These licenses require derivative works to be distributed under the same copyleft license terms as the original work. This ensures broader access and modification rights.
Strong copyleft SDPX identifiers
The following list displays supported SPDX identifiers for strong copyleft licenses.
Weak copyleft licenses
Weak Copyleft Licenses policies identify software packages distributed under weak copyleft licenses. These licenses permit combining code with other licenses, including proprietary licenses, without mandating the entire derivative work to be released under the same copyleft license.
Weak copyleft SPDX identifiers
The following list displays supported SPDX identifiers for weak copyleft licenses.