G.1.2 Software license conflict

Control Details

Objective

Software licenses that conflict with the organization's policies are identified.

Definition

Software licenses may or may not allow certain types of usage, contain distribution requirements or limitations, or require specific action if the software is modified. Risk is increased if the licenses of components conflict with an organization's policies. Software licenses should be documented and tracked to trace the users and use of licenses to access control information and processes according to software usage restrictions. License metadata should be recorded during the build and made available in the SBOM.

Assessment Questions

1. How do you check that the software licenses for tools or third party components comply with your organization's use policies?
2. What tools, if any, do you use to automate the license check process?
3. How do you document and track users and uses of software licenses relative to access control policies and software usage restrictions?

Reference sources

1. 800-161 CM-10
2. OWASP-SCVS 2.14 2.15 5.12
3. S2C2F SCA-2
4. CNCF-SSC AU: Scan software for license implications M-A: Managing software licenses
5. OSPS OSPS-LE-02 OSPS-LE-03