Introducing Socket's New License Features

Package License Alerts and License Data: See package license information and generate license attribution#

Socket is excited to announce a suite of new features for analyzing and obtaining package license data, now available for npm, PyPI, Maven, and go.

Socket's team has been working hard to ensure our license detection is accurate and thorough; whether license data is in its own file, an ecosystem-specific manifest, source code, or package metadata, we're confident we'll be able to get you the information you need.

Socket's new license features use license data to serve customers in a few different ways:

• Through license alerts, which notify users of risks or information warranting further attention
• Offering a structured overview of a package's license information in the package overview's "License" panel
• Making detailed license information available programmatically through the API
• Generating license attribution files on-demand, through the License panel or through the API

Package License panel

The package summary page now sports a "License" panel; users can view the licenses found in different parts of a package, with the applicable license identifiers and links to the exact location of the license information (or an indication that the info was found in the package metadata). Users will also see some high level information about the applicable license, including the Blue Oak tier (more on this below) and whether the license or combination of licenses is FSF and/or OSI approved.

Sometimes Socket is able to find license information that looks like a known license, but the contents don't quite match. If the mismatch is significant, Socket will display a partial match with the most likely candidate and the relative strength of the match.

In other cases, Socket may find license data that simply can't be identified. This may be the case when the contents of a `LICENSE` file are unique, or a package.json file contains a `license` field which specifies a custom or one-off license identifier. Such license data will be displayed as a link to the location, but will be marked as "Unknown".

Dual-licensing, Multiple Applicable Licenses, and License Exceptions

Socket's license features are dual/multi-licensing-aware, both within a single package or artifact, and in the context of dependencies. This means users can request license information for a package and its transitive dependencies, getting all possible combinations offered by that set of software components.

To present these options to users in an intuitive way, we use the simple `OR`, `AND`, and `WITH` operators already widely used in SPDX license expressions. For example:

• `MIT AND Apache-2.0` means licensees must comply with the terms of both the MIT license and the Apache-2.0 license.
• `MIT OR Apache-2.0` means licensees may elect to become licensees under the terms of the MIT license or the Apache-2.0 license.
• `MIT WITH Autoconf-exception-2.0` means licensees may become licensees under the terms of the MIT license and those of the "Autoconf-exception-2.0" exception.

Not only does this allow us to show more accurate license information, it also means we can be much more exact when determining what alerts are relevant to users. If a subset of a package's dependencies are offered under a dual-licensing scheme which implicates copyleft, Socket will determine whether there's a combination of license choices available which only contains permissive licenses, and if so, forego dispatching a copyleft license alert.

License Ratings

Software may be offered under a wide array of licenses with varied and lengthy terms. To make our license features more effective with less of your time, Socket's uses the intuitive tier list promulgated by the Blue Oak Council.

• "Permissive" licenses are ranked gold, silver, bronze, or lead.
• "Copyleft" licenses classified as "maximal copyleft", "network copyleft", "strong copyleft", or "weak copyleft".

Automating Attribution

One of the features we're proud to offer is automatic generation of license attribution information, available through a package's License panel, or through Socket's public API

Software licenses frequently require licensees to include a copy of the license and/or give the original authors credit downstream. It has become relatively common for licensees to fulfill these obligations by creating an index mapping the software used in a project to the licensing and author information. You almost certainly find an example of this by going to the legal or open source software section of your smartphone's "settings" menu, then the "legal" or "open source" sub-menu.

With Socket's new license features, generating a detailed attribution file for an entire dependency chain is a breeze; Socket users can get license attribution data as a JSON file through Socket's API, or by using the button on a package or artifact's License panel.

What's Next

• Support for more ecosystems: Socket's license features are currently available for npm, PyPI, maven, and go. As we continue to support more ecosystems and languages, we'll be extending our license features to those ecosystems as well.
• Customizable license allow lists: The current version of Socket's license alerts uses a fixed set of alerts that we think best serve the greatest number of users. Moving forward, we'll be implementing custom allow lists to let users decide what licenses to allow or disallow, and what to do when a disallowed license is found.

Wrapping Up

The best way for Socket to better serve you is to respond to your feedback. If there’s a feature you need, or something you think we can do better, please submit your suggestions or contact us directly. If you're an enterprise customer or considering becoming one, we’d love to know how we can better meet your needs.

We're thrilled to bring you this functionality and are hard at work honing our next developer-first security tools for the rest of 2024 and beyond!