ProGet Documentation

License Scanning and Blocking

  • Last Modified: 2019-07-17

By using third-party, open-source packages in your application, you agree to whatever licensing terms the packages' authors specify. In many cases, these licensing terms are benign and permissive. But in some cases, they are restrictive and can open your organization to unexpected legal liabilities.

For example, if you were to use a GNU3-licensed package in your application, you would be required to open source your application, and then license it under GNU3. If your organization failed to do that, it could face a lawsuit from the package authors.

ProGet offers two workflows for managing licensing agreements of third-party, open-source packages.

  • License filtering feature -the built-in feature allows you to permit or restrict packages from being used based on their license
  • WhiteSource integration -the built-in feature allows you to permit or restrict packages from being used based on their license

This feature is available in paid and trial ProGet editions.

License Filtering In ProGet

ProGet ships with an editable list of open-source license types (MIT, GPL3, etc) called known licenses. You then define global and feed-specific rules to block or allow downloads based on a package's license, as well as global or feed-specific rules about whether to block downloads for unknown licenses.

Packages are allowed or blocked based on the following logic:

Known License Types

ProGet's list of known licenses comes from SPDX, and is periodically updated. You can edit this list by going to Compliance > Licensing > Manage Known Licenses.

A license type consists of the following elements:

  • SPDX Identifier; a code such as MIT or GPL3 that some package formats use to identify the license used
  • Title; a description of the license, such as MIT License or General Public License 3.0
  • URLs; a list of URLs that are associated with this license agreements

Licensing Rules

A licensing rule consists of a known license type, and an allow or block flag.

They can be defined at both the global and feed-level:

  • Global license rules: Compliance > Licenses
  • Feed-specific license rules: Feed > Manage Feed > License Filters

If a feed-level rule is defined for a license type, the global rule will be ignored.

  • Global unknown rule: Advanced Settings > Feeds.AllowUnknownLicenseDownloads
  • Feed-specific unknown rule: Manage Feed> Unknown Licenses

Is this documentation incorrect or incomplete? Help us by contributing!

This documentation is licensed under CC-BY-SA-4.0 and stored in GitHub.

Generated from commit ce197caa on master