Profile Applicability:
Level 1
Description:
Automated scanning tools must be deployed to analyze all open-source packages used within software projects for license compliance issues. These scanners help identify license types, detect incompatible or restricted licenses, and ensure adherence to organizational and legal requirements.
Rationale:
Monitoring open-source license compliance mitigates legal and operational risks associated with using software components under incompatible or restrictive licenses. Automated license scanning supports governance, reduces inadvertent violations, and facilitates audit readiness.
Impact:
Pros:
Identifies potential license conflicts early.
Supports legal compliance and risk management.
Enhances governance of software supply chain.
Facilitates procurement and audit processes.
Cons:
Requires integration of license scanning tools.
May generate false positives needing manual review.
Default value:
Many organizations do not systematically scan for license compliance, increasing exposure to legal risks.
Audit:
Review license compliance scan reports and remediation actions. Verify that license scanning is integrated into build and deployment pipelines.
Remediation:
Adopt license scanning tools such as FOSSA, WhiteSource, or SPDX analyzers. Establish policies to address identified license issues. Train development and legal teams on license management best practices.
References:
FOSSA Open Source License Management: https://fossa.com/
SPDX License List: https://spdx.org/licenses/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/