Profile Applicability:
Level 1
Description:
Implement automated scanning tools to analyze packages for their license types and associated compliance requirements. This process helps identify potential license conflicts, obligations, or restrictions before integrating packages into the software supply chain.
Rationale:
Automatically scanning for license implications reduces legal and compliance risks by ensuring that all third-party packages meet organizational policies and licensing obligations. It helps avoid inadvertent use of incompatible or restrictive licenses that could expose the organization to legal challenges.
Impact:
Pros:
Enhances legal and regulatory compliance.
Provides visibility into license obligations and risks.
Supports informed decision-making on package usage.
Reduces risk of intellectual property violations.
Cons:
May require integration of license scanning tools into development workflows.
Could generate false positives or require manual review for complex licenses.
Default value:
License scanning may not be automated, leading to inconsistent or missed compliance checks.
Audit:
Review license scanning reports and logs. Verify that scanning is regularly performed and results are acted upon.
Remediation:
Integrate automated license scanning tools (e.g., FOSSA, Black Duck, WhiteSource) into build and CI/CD pipelines. Define policies for acceptable licenses and review exceptions. Train development and legal teams on license compliance processes.
References:
Open Source License Compliance: https://opensource.org/licenses
FOSSA License Scanning: https://fossa.com/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/