HOWTO: Filter NuGet Packages by License
  • 30 Dec 2021
  • 7 Minutes to read
  • Dark
    Light
  • PDF

HOWTO: Filter NuGet Packages by License

  • Dark
    Light
  • PDF

How To Create NuGet License Filtering Rules

Many NuGet packages found on websites like nuget.org usually have some sort of open-source license. For a DevOps team, some licenses are okay to use (like the MIT license), whereas others are risky (like the GPL license).

This article will describe license detection and blocking feature in ProGet. It will show you how to assign licenses to a package (for easy browsing), how to filter between okayed and unwanted licenses, and finally how to apply these filters across multiple ProGet feeds to save time and resources.

Getting Started by Assigning a License

ProGet can automatically detect the license agreement that a package is using and will display it in a clearly visible manner on the Package Overview page.

A ProGet package has a green 'approved license] box in its description.

ProGet ships with a comprehensive list of open-source license types (e.g., MIT, GPL3, etc), called known licenses, sourced from SPDX. ProGet's list is not exhaustive, however, so you can edit it by going to Licenses > License Types.

When you create a NuGet feed in ProGet, many packages won’t have an assigned license. On the package overview page, you may see this window:

A window on a ProGet Package saying the package cannot be recognized so likely has a custom license.

This means the package does not have a SPDX identifier or URL that ProGet cannot implicitly recognize, so it is considered to have an unknown or custom license. This can happen for a number of reasons

  • No license at all
  • Embedded license file (e.g. license.txt)
  • Nonstandard license URL

Detecting an unknown license gives you the opportunity to add a new license type. Once you’ve identified the package’s license and assign it a license type, you can now detect and configure that license within ProGet.

How To Assign a License in ProGet

Step 1: Manually Inspect the NuGet Package

To identify the license of an unknown license, you must download the package, or click through to the license URL, and investigate manually.

Step 2: Click [Assign License Type to Custom URL]

Once you read the license and confirm the contents, return to the Package Overview page on ProGet and click [Assign License Type to Customer URL] in the red window.

Step 3: Choose the Appropriate License

A pop-up window will appear with a drop-down of SPDX licenses. Choose the most appropriate license after your investigation and click [save].

The "Assign License" window in ProGet, displaying potential SPDX IDs

You can also write your own identifier, not sourced from SPDX, for custom or proprietary licenses.

The "Assign License" window in ProGet with a custom license ID in the SPDX ID textbox.

Note that, for packages with embedded licenses or no licenses at all, a special URL will be used. package:// indicates a file within a specific package version, and packageid:// is simply that package version.

Once you’ve added the license, all other packages with the same SPDX Identifier, URL, or file will then be detected as that license type.

Checking Licenses Types

Once a new licenses has been added, you can manage it on the Licenses > License Types page of ProGet.

If you've added a license type incorrectly, you can click on the license's ID; a pop-up will appear to edit the license details.

The "Edit License Type" window displaying options to edit a custom license type.

You can also delete the license type by clicking on the ❌ to the right of the license's URL(s).

ProGet and NuGet Licenses

ProGet has workflows for managing license agreements, making it easy to set up and manage in large teams.

The License Detection and Blocking feature allows admins to define rules to block or allow downloads based on the NuGet package’s license. You can also define rules about whether to block downloads for unknown licenses.

These rules can be set at the global and feed-specific level. This guide will describe how to do both.

License rules will allow or deny downloading NuGet packages with specific licenses. Packages with blocked licenses will have no option for download. You can also define rules about whether to block downloads for unknown licenses. So you can even restrict downloading a package for investigating it’s license, totally mitigating risk.

How to Block Unwanted Licenses

You’ll want to block licenses with known problems – a prime example is the GPL license. We’ve gone into detail about how unknowingly using a GPL-licensed package can bring legal risk and greatly cost a company. To keep out of court, use ProGet to set up license detection and blocking rules on your server and across it’s feeds.

Before License Blocking

Without any license blocking rules, you can freely browse a ProGet feed and download whatever. You are unrestricted.

A ProGet Package with a GPL license that is approved for download.

Step 1: Navigate to Manage Feed > Detection & Blocking

Select the ProGet feed you’d like to apply a license rule to and navigate to it’s manage feed page. From there, select the Detection & Blocking tab.

Step 2: Click [Add License Blocking Rule]

The "Add a License Blocking Rule" display in ProGet, when no other rules have been made

Step 3: Create a License Filter Rule

In the pop-up, select the license you’d like to block from the [License] drop down menu. GPL-3.0 is always good to block to avoid lawsuits.
From the [Rule] drop down menu, select “Block this license.”

The "Create License Filter Rule" window in ProGet, showing SPDX ID GPL and a "block this license" option.

Click [Create Rule].

After License Blocking

Now that you’ve created the rule, when you browse to a NuGet package with the blocked license, you will be unable to download it.

A ProGet package with a GPL license that is now blocked from being downloaded.

Adding More Rules

If you want to add more rules to a feed, follow the above instructions. Once rules have been made, the Detection and Blocking tab will list the rules at the bottom of the screen.

To add more rules, click on the [add] above the list.

The License Detection page with rules made, pointing towards where to create more rules.

How To Allow Approved Licenses

ProGet is implicitly set to allow downloads of packages with unknown licenses. You can change this to “block” and then create specific rules for each license you’d like to allow and block.

Setting a filter for allowing licenses creates guidance for junior team members, and it helps keep with company third-party software policy.

Step 1: Repeat Steps 1 and 2 of “How to Block Unwanted Licenses”

Similar to blocking a license, you set up allowed licenses via the same page and buttons. Navigate to Detection and Blocking and click on [Add License Filter Rule] or [add].

Step 2: Create a License Filter Rule

In the pop-up window, from the License drop-down menu, select the license you’d like to allow. From the Rule drop down, select “Allow this license.”

Click [Create Rule].

After License Allowing

Now NuGet packages with your configured rule will allow users to download the package.

A ProGet package has a green 'approved license] box in its description.

How to Share Rules across all Feeds

It’s easy to assume your ProGet will have more than one feed; dozens, hundreds, possibly thousands! So we understand that setting the same rule for multiple feeds multiple times is a great pain.

Instead, you can create a License filtering rule at the “global” level (e.g. applies to every feed on the server).

Before a Global Filtering Rule

When you browse the rules of your feed, you’ll see that it lists the rules as “feed-level.”

A zoomed-in display showing the scope level of license blocking rules in ProGet.

Step 1: Navigate to Licenses and Create a new Rule.

Via the top ribbon of ProGet, navigate to Licenses and click on [Create Rule] at the bottom right of the page.

Step 2: Repeat Step 3 of “How to Block Unwanted Licenses”

In the pop-up window, choose the license you’d like to configure at a global level, and the rule you’d like to apply (either allow or block).

Click [Create Rule]

After A Global Filtering Rule

Once you’ve set up a global rule, you’ll see it both on each feed’s Detection and Blocking tab…

The license detection page displaying the scope level of multiple license blocking rules.

…or on the Licenses page.
The Global licenses page displaying the global license detecting and blocking rules.

Troubleshooting

Conflicting Rules

When a feed has two conflicting rules, like a Block and Allow of a single license, the smaller scoped rule will apply.

For example, if Apache-2.0 is allowed at a global scope but blocked on a feed scope, the feed will take on the feed-level rule. The same is true in the reverse (blocked at global, allowed at feed).

If you have a global rule of Block Apache-2.0 and create a feed rule of Allow Apache-2.0, the global rule will not appear on screen, as the feed has taken the feed rule as priority.

In the same example, if the feed rule Block Apache-2.0 is deleted, the global rule Allow Apache-2.0 will now apply since the smaller-scoped rule is gone.

Filter by Licenses with ProGet

Using ProGet to filter NuGet packages by their licenses will add extra security to your projects. Allowing only vetted licenses and blocking known problematic licenses will avoid headaches and potential lawsuits.

ProGet’s other features like NuGet Vulnerability Scanning and Setting Up Restricted NuGet Feeds can help save resources and reduce risk too.

Request a free trial key for ProGet and try the License Detection and Blocking feature today - only available in the paid version of ProGet.


Was this article helpful?

What's Next