Licensing Detection and Blocking
  • 27 Jun 2022
  • 3 Minutes to read
  • Dark
  • PDF

Licensing Detection and Blocking

  • Dark
  • PDF

ProGet can automatically detect the license agreements that govern the third-party, open-source packages that you use. This enables you to:

This article will explain how license detection works, and how to configure rules for blocking packages based on their license.

You can access ProGet's license detection and blocking features by navigating to Reporting & SCA > License Usage:

Licensing Usage

See ProGet 6.0 and earlier to learn how these features worked prior to ProGet 2022.

Why are License Agreements Important?

By using third-party, open-source packages in your application, you agree to whatever licensing terms the packages' authors specify. In many cases, these licensing terms are benign and permissive. But in some cases, they are restrictive and can open your organization to unexpected legal liabilities.

For example, if you were to use a GNU3-licensed package in your application, you would be required to open-source your application and then license it under GNU3. If your organization failed to do that, it could face a lawsuit from the package authors.

To learn more, see How to Avoid Costly Lawsuits from Unexpected NuGet License Agreements on our blog.

To protect from the fallout from packages with unwanted licenses, ProGet offers two workflows for managing licensing agreements of third-party, open-source packages:

How does ProGet detect Licenses?

ProGet includes a comprehensive list of open-source license that's based on the SPDX License List. Each license in this list has the following fields:

You can then define rules to block or allow packages that use a license in that list.

Matching Packages to Licenses

Some package types (such as NuGet and npm) allow authors to specify a "SPDX code" to indicate how the package is licensed. In this case, ProGet will match that code with the "Identifier" field.

Other times, authors will use a URL to specify the license. ProGet will match the URL to determine which license it's using.

Unknown Licenses

If a package specifies a SPDX Identifier or URL that's not in your license list, or if the package doesn't specify a license at all, it's considered to have an unknown license.

When a package has an unknown license, ProGet will display a warning and give you an opportunity to create a new license type. All other packages with the same SPDX Identifier or URL will then be detected as that license type.

License Rules and Blocking

ProGet allows you to define rules to block or allow downloads based on a package's license. These are set at the global level, and can then be overridden at the feed level.

To see all license types and rules in ProGet, navigate to Reporting & SCA > License Usage, then click "manage types". Clicking on a license type will allow you to configure usage rules.

Edit License Type

Once a license rule is configured, packages with a blocked license will display a red warning on the Package Overview page, and ProGet will not allow the package to be downloaded.

Default License Rules

By default, ProGet uses a "blacklist approach" for licenses: all packages can be downloaded unless there is an explicit rule that blocks them. You can change this to a "whitelist" by editing the Default License Rule.

Default licensing rule

This default rule can be set at the global level, and then overridden on each feed.

When ProGet is configured to block licenses, it will also block packages with unknown licenses. For example, if there is only one license rule defined (e.g., allow MIT license types), and you configure ProGet to block unknown licenses then only packages with that license type (i.e., MIT) will be downloadable.

ProGet 6.0 and Earlier

Prior to ProGet 2022, ProGet only supported license detection and blocking. The user inteface to configure these settings were also a little different.

License blocking rules were defined as:

  • Global license rules: Licenses (on the top navigation)
  • Feed-specific license rules: Feed > Manage Feed > Scanning & Blocking

The default rule was configured as follows:

  • Global unknown rule: Advanced Settings > Feeds.AllowUnknownLicenseDownloads
  • Feed-specific unknown rule: Feed > Manage Feed > Scanning & Blocking

See HOWTO: Filter NuGet Packages by License to see more about ProGet 6.0 and Earlier.

Was this article helpful?