Non-permissive License
Severity
Low
Short Description
(Experimental) A license not known to be considered permissive was found.
Packages
View packages with this alert.Suggestion
Determine whether use of material not offered under a known permissive license works for you
Information
Non-permissive licenses are those that impose certain restrictions or conditions on the use, modification, or distribution of the software, unlike permissive licenses that allow nearly unrestricted use.
All copyleft licenses are non-permissive, but not the other way around. A license can be non-permissive but not copyleft if it imposes additional restrictions but does not require derivative works to be distributed under the same license terms.
One common example is "Creative Commons Non-Commercial", which prohibits commercial use but doesn't require distributing derivative works under same license, or the "JSON License", which stipulates that it shall "be used for Good, not Evil".
Recommended actions
It's important to understand the terms of any non-permissive license your project is using, because these packages can lead to legal, compliance, and usage issues. For example, if a package prohibits commercial use, integrating it into a product meant for sale could result in a license violation.
Unclear terms can introduce unwanted ambiguity, making it difficult to ascertain compliance and avoid potential legal trouble. Non-permissive licenses can also conflict with the licensing terms of other dependencies in a project, especially if those dependencies require more permissive terms.
If you find a non-permissively licensed dependency, here are some recommended actions to take:
- Review License Terms: Carefully read the specific license to understand its restrictions, especially concerning commercial use, distribution, and modification.
- Assess Compatibility: Check if the license terms align with your project's goals and compliance requirements. If not, proceed to the next steps.
- Consult Legal Advice: If unsure about the license implications, consult with your legal team or a specialist familiar with software licensing.
- Find Alternatives: Search for equivalent packages with permissive licenses (e.g., MIT, Apache 2.0) to avoid potential issues.
- Isolate Usage: If you must use it, isolate the dependency in a way that minimizes exposure to the rest of your project, reducing the risk of non-compliance.
- Document and Monitor: Keep track of the dependency, document its use, and monitor any changes in its licensing terms.
Examples
Here's an example of a package flagged as having a Non-Permissive license. In this case, it's the CC-BY-NC-2.5 license, which restricts the use of the work to non-commercial purposes, limiting how it can be used and distributed.
Detection Method
Packages flagged with this alert contain license data indicating that some portion of the package is offered ONLY under licenses which are not known to be permissive. This may be the case when a license is known to be non-permissive (for example, CC-BY-NC-ND) or when the license is simply not known to be permissive because it has not been analyzed by experts and given a classification.
If a given package is offered under a choice of more than one license and any combination can avoid non-permissive licenses, this alert will not be emitted.
Additional resources
GNU Licenses - Various Licenses and Comments About Them
Creative Commons - About the Licenses
Choose a License - Information on Open Source Licenses
Open Source Initiative - OSI-Approved Licenses
Free Software Foundation - License Compliance