How to Create NuGet License Filtering Rules

Many NuGet packages found on sites like nuget.org tend to have some sort of open source license. For a DevOps team, some licenses are fine (like the MIT license), while others are risky (like the GPL license).

This article describes the license detection and blocking feature in ProGet. It shows you how to assign licenses to a package (for easy browsing), how to filter between allowed and unwanted licenses, and finally how to apply these filters to multiple ProGet feeds to save time and resources.

Getting Started by Assigning a License

ProGet can automatically detect the license agreement that a package uses and displays it clearly on the Package Overview page.

ProGet ships with a comprehensive list of open source licenses (e.g., MIT, GPL3, etc.), which are referred to as well- known licenses and originate from SPDX. However, ProGet's list is not complete, so you can edit it under Licenses > License Types.

When you create a NuGet feed in ProGet, many packages don't have an assigned license. You may then see this window on the package overview page:

This means that the package does not have an SPDX identifier or a URL that ProGet cannot implicitly recognize, so it is assumed to have an unknown or custom license. This can happen for a number of reasons

• No license at all
• Embedded license file (e.g. 'license.txt')
• Non-standard license URL

Identifying an unknown license gives you the option to add a new license type. Once you have identified the package's license and assigned it a license type, you can now detect and configure that license in ProGet.

How To Assign a License in ProGet

Step 1: Manually Inspect the NuGet Package

To determine the license of an unknown license, you must download the package or click through to the license URL and manually investigate.

Step 2: Click [Assign License Type to Custom URL]

Once you read the license and confirm the contents, return to the Package Overview page on ProGet and click [Assign License Type to Custom URL] in the red window.

Step 3: Choose the Appropriate License

A pop-up window will appear with a drop-down of SPDX licenses. Choose the most appropriate license after your investigation and click [save].

You can also write your own identifier, not sourced from SPDX, for custom or proprietary licenses.

Note that, for packages with embedded licenses or no licenses at all, a special URL will be used. package:// indicates a file within a specific package version, and packageid:// is simply that package version.

Once you add the license, all other packages with the same SPDX identifier, URL, or file are recognized as this license type.

Checking Licenses Types

Once a new license has been added, you can manage it on the Licenses > License Types page of ProGet.

If you've added a license type incorrectly, you can click on the license's ID and a pop-up will appear to edit the license details.

You can also delete the license type by clicking on the ❌ to the right of the license's URL(s).

ProGet and NuGet Licenses

ProGet has workflows for managing license agreements that make it easy to set up and manage across large teams.

The License Detection and Blocking feature allows administrators to define rules to block or allow downloads based on the NuGet package license. They can also set rules to block downloads for unknown licenses.

These rules can be set at both a global and feed-specific level. This guide describes how you can do both.

License rules allow or deny downloading NuGet packages with specific licenses. Packages with blocked licenses won't be available for download. You can also define rules to block downloads for unknown licenses. This way, you can even restrict the download of a package to investigate its license and completely minimize the risk.

How to Block Unwanted Licenses

You’ll want to block licenses with known problems—a prime example is the GPL license. We’ve gone into detail about how unknowingly using a GPL-licensed package can bring legal risk and greatly cost a company. To stay out of court, use ProGet to set up license detection and blocking rules on your server and across its feeds.

Before License Blocking

Without any license blocking rules, you can freely browse a ProGet feed and download anything. You are unrestricted.

Step 1: Navigate to Manage Feed > Detection & Blocking

Select the ProGet feed to which you want to apply a license rule and navigate to its feed management page. There, select the Detection & Blocking tab.

Step 2: Click [Add License Blocking Rule]

Step 3: Create a License Filter Rule

In the pop-up, select the license you’d like to block from the [License] drop-down menu. It's always a good idea to block GPL-3.0 to avoid lawsuits.
From the [Rule] drop down menu, select “Block this license.”

Click [Create Rule].

After License Blocking

Now that you’ve created the rule, when you browse to a NuGet package with the blocked license, you will be unable to download it.

Adding More Rules

If you want to add more rules to a feed, follow the instructions above. Once you have created rules, they will be listed on the Detection and Blocking tab at the bottom of the screen.

To add more rules, click on [add] above the list.

How to Allow Approved Licenses

ProGet is implicitly set to allow downloads of packages with unknown licenses. You can change this to "block" and then create specific rules for each license you want to allow or block.

Setting a filter for allowing licenses provides guidance for junior team members and helps comply with company policies for third-party software.

Step 1: Repeat Steps 1 and 2 of “How to Block Unwanted Licenses”

Similar to blocking a license, you can set up allowed licenses via the same page and buttons. Navigate to Detection and Blocking and click on [Add License Filter Rule] or [add].

Step 2: Create a License Filter Rule

In the pop-up window, from the License drop-down menu, select the license you’d like to allow. From the Rule drop-down, select “Allow this license.”

Click [Create Rule].

After License Allowing

Now NuGet packages with your configured rule will allow users to download the package.

How to Share Rules across All Feeds

It's easy to assume that your ProGet will have more than one feed; dozens, hundreds, perhaps thousands! So we understand that setting the same rule multiple times for multiple feeds is very tedious.

Instead, you can create a license filter rule on a "global" level (e.g. for each feed on the server).

Before a Global Filtering Rule

When you browse the rules of your feed, you’ll see that it lists the rules as “feed-level.”

Step 1: Navigate to Licenses and Create a new Rule.

Via the top ribbon of ProGet, navigate to Licenses and click on [Create Rule] at the bottom right of the page.

Step 2: Repeat Step 3 of “How to Block Unwanted Licenses”

In the pop-up window, select the license you want to configure on a global level and the rule you want to apply (either allow or block).

Click [Create Rule]

After A Global Filtering Rule

Once you’ve set up a global rule, you’ll see it on each feed’s Detection and Blocking tab…

…or on the Licenses page.

Troubleshooting

Conflicting Rules

If a feed has two conflicting rules, such as Block and Allow of a single license, the rule with the smaller scope applies.

For example, if Apache-2.0 is allowed at the global level but blocked at the feed level, the feed is governed by the feed-level rule. The same applies in the reverse case ( blocked at global level, allowed at feed level).

If you have a global rule "Block Apache 2.0" and create a feed rule "Allow Apache 2.0", the global rule will not appear on the screen because the feed has adopted the feed rule as a priority.

In the same example, if the Block Apache-2.0 feed rule is deleted, the Allow Apache-2.0 global rule now applies because the rule with the lower scope is dropped.

Filter by Licenses with ProGet

Using ProGet to filter NuGet packages by their licenses provides additional security for your projects. By allowing only verified licenses and blocking known problematic licenses, you avoid headaches and potential litigation.

ProGet's other features, such as NuGet Vulnerability Scanning and setting up restricted NuGet feeds, can also help save resources and reduce risk.

Request a free trial key for ProGet and try the License Detection and Blocking feature today—only available in the paid version of ProGet.