🚀 DAY 5 OF LAUNCH WEEK: Introducing Socket Firewall Enterprise.Learn more
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

Unidentified License

Severity

Low

Short Description

(Experimental) Something that seems like a license was found, but its contents could not be matched with a known license.

Suggestion

Manually review the license contents.

Information

The Unidentified License alert flags packages where a license appears to be found but Socket was not able to match it with a known license. The risks and obligations of using such a license are unknown.

Having one of these packages among your dependencies may introduce legal uncertainty, compliance issues, due to hidden restrictions and potential incompatibility with other licenses.

Recommended actions

  1. Review the License Manually: Check the package's repository or manifest files (e.g., LICENSE file, package.json) to manually identify the license. This is especially important if the license is custom or uncommon.
  2. Contact the Package Author: Reach out to the package maintainer to clarify the exact terms of the license, especially if the license appears custom or unorthodox.
  3. Consult Legal Advice: If you are unable to confidently identify the license or its terms, consult legal counsel to ensure compliance with your organization’s licensing policies.
  4. Assess Risk: Consider the potential legal or compliance risk of continuing to use the package without clear licensing information. If the risk is high, you may need to take further action.
  5. Replace the Package: If uncertainty persists or the license terms are too ambiguous, consider switching to an alternative package with a more clearly defined, recognized license to avoid future complications.

Examples

Here is an example where Socket detected a file that appears to be a license but could not determine a match with a known license. The alert identifies the specific file that caused the package to be flagged.

Detection Method

In order to determine a package's licensing, Socket checks a few different sources. The main ones are (1) looking in something that's explicitly a LICENSE file, (2) looking for ecosystem-specific values in manifest files (package.jsonpyproject.toml, gemfiles, etc.), (3) checking the license metadata that is available through the package registry, and (4) looking for copyright headers in source code files.

In the case of the Unidentified License alert, a package is flagged when we were able to find something that is affirmatively license data (the presence of a LICENSE file, a license property in the package.json file, etc.) but we were unable to determine what license it is with sufficient confidence to give any additional information. The presence of a totally custom license expression in a manifest file, or the use of an unorthodox license text is a common trigger for this alert.

Additional resources

  1. Open Source Initiative - Licensing FAQ
    • This FAQ provides an overview of open-source licensing, the importance of proper licenses, and the legal risks of using unlicensed software.
  2. Software Freedom Law Center - Legal Issues in Open Source
    • A comprehensive guide on the legal issues surrounding open-source software, including the risks of using unlicensed code.
  3. Choose a License - No License
    • This page explains the implications of using software without a license and the legal uncertainties it introduces.
  4. GitHub Docs - Open Source Licensing
    • A guide on how to choose a license for your GitHub repository and why it's critical to have one.