Licensing Detection and Blocking

ProGet can automatically detect the license agreements that govern the third-party open source packages you use. This allows you to:

• Block or allow downloading of packages based on the license type
• See the licenses that your Projects and Releases are using
• Export a Software Bill of Materials (SBOM) to share with auditors or clients

This article explains how license detection works and how to configure rules for blocking packages based on their license.

You can access ProGet's license detection and blocking features by navigating to Reporting & SCA > License Usage:

See ProGet 6.0 and earlier to learn how these features worked prior to ProGet 2022.

Why are License Agreements Important?

By using third-party open source packages in your application, you agree to the license terms stated by the authors of the packages. In many cases, these license terms are benign and permissive. In some cases, however, they are restrictive and can expose your organization to unexpected legal liabilities.

For example, if you want to use a GNU3-licensed package in your application, you must open source your application and then license it under GNU3. If your organization does not do this, it could be sued by the package authors.

To learn more, see How to Avoid Costly Lawsuits from Unexpected NuGet License Agreements on our blog.

To protect against the consequences of packages with unwanted licenses, ProGet provides two workflows for managing license agreements for third-party open source packages:

How does ProGet detect Licenses?

ProGet includes a comprehensive list of open-source license based on the SPDX License List. Each license in this list has the following fields:

• Identifier: a code such as MIT or GPL-3.0 that uniquely identifies the license
• Title: a description of the license, such as MIT License or General Public License 3.0
• URLs: a list of URLs associated with the license agreements, such as www.opensource.org/licenses/MIT or www.gnu.org/licenses/gpl-3.0-standalone.html

You can define rules to block or allow packages that use a license in that list.

Matching Packages to Licenses

Some package types (such as NuGet and npm) allow authors to specify an "SPDX code" indicating how the package is licensed. In this case, ProGet will match this code with the "Identifier" field.

In other cases, authors use a URL to indicate the license. ProGet matches the URL to determine which license is used.

Unknown Licenses

If a package specifies an SPDX identifier or URL that isn't in your license list, or if the package doesn't specify a license at all, it's assumed to have an unknown license.

If a package has an unknown license, ProGet displays a warning and gives you the option to create a new license type. All other packages with the same SPDX identifier or URL will then be recognized as this license type.

License Rules and Blocking

ProGet allows you to define rules to block or allow downloads based on the license of a package. These are set at the global level and can then be overridden at the feed level.

To see all license types and rules in ProGet, navigate to Reporting & SCA > License Usage and then click "manage types". When you click on a license type, you can configure usage rules.

Once a license rule is configured, packages with a blocked license will display a red warning on the Package Overview page, and ProGet will not allow the package to be downloaded.

Default License Rules

By default, ProGet uses a "blacklist approach" to licenses: all packages can be downloaded unless there is an explicit rule blocking them. You can change this to a "whitelist" by editing the default license rule.

This default rule can be set at the global level and then overridden in each feed.

If ProGet is configured to block licenses, it will also block packages with unknown licenses. For example, if only one license rule is defined (e.g., allow MIT license types) and you configure ProGet to block unknown licenses, only packages with that license type (i.e., MIT) can be downloaded.

ProGet 6.0 and Earlier

Prior to ProGet 2022, ProGet only supported license detection and blocking. The user interface for configuring these settings was also somewhat different.

The license blocking rules were defined as follows:

• Global license rules: Licenses (in the top navigation)
• Feed specific license rules: Feed > Manage feed > Scanning & Blocking

The default rule has been configured as follows:

• Global unknown rule: Advanced Settings > Feeds.AllowUnknownLicenseDownloads
• Feed-specific unknown rule: Feed > Manage Feed > Scanning & Blocking

See HOWTO: Filtering Packages by License to see more about ProGet 6.0 and Earlier.