Misc. License Issues
Severity
Medium
Short Description
(Experimental) A package's licensing information has fine-grained problems.
Packages
View packages with this alert.Suggestion
Consult the alert's description and location information for more information
Information
The Misc. License Issues alert is triggered when Socket encounters a specific problem during the license analysis process, most commonly when the system detects the presence of license information in a file (such as a manifest file) but is unable to properly parse or read it. This can happen for a variety of reasons, including:
- Corrupted or Malformed Files: A manifest file, such as
package.json,pyproject.toml, or another configuration file, may be corrupted, incorrectly formatted, or incomplete, preventing accurate parsing. - Unconventional or Custom Licensing Formats: Sometimes developers may write licenses in a way that deviates from typical standards or use non-standard language, making it difficult for automated tools to correctly interpret the license terms.
- Obfuscated or Encrypted License Data: In rare cases, the license may be included in an obfuscated or encrypted file, further complicating the parsing process.
- License Spanning Multiple Files: License information might be spread across multiple files or locations, making it hard to collect all the necessary details from one location.
Common reasons packages may be flagged with this alert are complex or obscure licensing language - where the license may be written in a highly specific way that doesn't conform to common patterns. It may also be triggered by file structure issues, such as the file containing the license being incorrectly formatted or missing key sections.
Dependencies with licensing issues introduce uncertainty around license compliance, potential legal risks, and delayed issue resolution.
Recommended actions
- Manual Review: Manually inspect the manifest or license files to see if you can identify any formatting issues or missing information. This will help determine if the problem is something that can be quickly resolved.
- Reach Out to the Package Maintainer: If the issue persists and you cannot resolve it yourself, reaching out to the package maintainer for clarification or corrections may be necessary.
- Consider Replacing the Dependency: If the license cannot be parsed or the terms are unclear, it may be safer to replace the dependency with one that has a clear and well-understood license.
Examples
In this example, the package was flagged because its entry has license metadata but it could not be parsed. Its npm metadata is an invalid SPDX expression and can't be parsed as license data.
Detection Method
The Misc. License Issues alert is used for miscellaneous issues that might occur during license analysis, which is most commonly seen when there's a problem parsing something like a manifest file that is highly likely to contain license information, but is not readable. Instead of not sending any license information, this alert is present when a license exists but has fine-grained problems.
Additional resources
npm - Docs for Specifying a License
Software Package Data Exchange (SPDX) - License List
OpenChain Project - Open Source License Compliance