License Policies
Last updated
Was this helpful?
Last updated
Was this helpful?
Sandworm uses license policies to determine what sort of issues to raise when scanning your app's dependency licenses. A license policy object links specific license strings or license categories to issue severity levels. Any usage of such licenses will, upon audit, generate a license issue of the specified severity.
The default license categories are:
Public Domain
Permissive
Weakly Protective
Strongly Protective
Network Protective
Uncategorized
See Sandworm's built-in for the full classification breakdown.
While we do our best to keep license info accurate and up-to-date, you should still carefully review all of the terms and conditions of the actual license before using the licensed material. Sandworm isn't a law firm and doesn't provide legal services.
The default license policy:
Generates high
severity license issues for licenses labeled as Network Protective
or Strongly Protective
;
Generates moderate
severity license issues for licenses labeled as Weakly Protective
.
You can configure Sandworm to use a custom license policy. The policy object:
has keys that match one of the supported issues severities: critical
, high
, moderate
, or low
;
has values that are arrays;
each array value is a string that represents:
a specific license - for example MIT
;
a category of licenses, prefixed by "cat:" - for example cat:Network Protective
.
As an example, here is the representation of the default license policy that Sandworm applies:
To provide a custom license policy, use the --license-policy
command-line option, or the audit.licensePolicy
field in the .sandworm.config.json
configuration file. For example, to generate a critical issue for any dependency using the MIT
license:
Or using a configuration file:
Apart from the default categories above, Sandworm also supports user-defined license categories. To define categories, set the categories
key of the license policy JSON to an array of {name: 'string', licenses: ['string', ...]}
objects:
Any license policy you specify overwrites the default one - even if you just define custom license categories within. If you want to keep the default behavior, you need to also specify the high
and moderate
trigger categories, like in the example above.
The default license category names are reserved. When using a default name in a custom category definition, the associated licenses are moved from their pre-assigned category to the specified one. For example, to move the CC-BY-3.0
license from Uncategorized
to Permissive
, you can use:
Un-categorized licenses always result in a high
severity error. See .