License Policies

Sandworm uses license policies to determine what sort of issues to raise when scanning your app's dependency licenses. A license policy object links specific license strings or license categories to issue severity levels. Any usage of such licenses will, upon audit, generate a license issue of the specified severity.

Default license categories

The default license categories are:

  • Public Domain

  • Permissive

  • Weakly Protective

  • Strongly Protective

  • Network Protective

  • Uncategorized

The default license category names are reserved. You can't define custom license categories with the same name as a default one, but you can override the default category assignment by Sandworm - see custom license categories.

See Sandworm's built-in SPDX license database for the full classification breakdown.

The default license policy

The default license policy:

  • Generates high severity license issues for licenses labeled as Network Protective or Strongly Protective;

  • Generates moderate severity license issues for licenses labeled as Weakly Protective.

Un-categorized licenses always result in a high severity error. See issue types.

Custom license policies

You can configure Sandworm to use a custom license policy. The policy object:

  • has keys that match one of the supported issues severities: critical, high, moderate, or low;

  • has values that are arrays;

  • each array value is a string that represents:

    • a specific license - for example MIT;

    • a category of licenses, prefixed by "cat:" - for example cat:Network Protective.

As an example, here is the representation of the default license policy that Sandworm applies:

{
  "high": ["cat:Network Protective", "cat:Strongly Protective"],
  "moderate": ["cat:Weakly Protective"],
}

To provide a custom license policy, use the --license-policy command-line option, or the audit.licensePolicy field in the .sandworm.config.json configuration file. For example, to generate a critical issue for any dependency using the MIT license:

sandworm-audit --license-policy '{"critical": ["MIT"]}'

Or using a configuration file:

.sandworm.config.json
{
  "audit": {
    "licensePolicy": {
      "critical": ["MIT"]
    }
  }
}

Custom license categories

Apart from the default categories above, Sandworm also supports user-defined license categories. To define categories, set the categories key of the license policy JSON to an array of {name: 'string', licenses: ['string', ...]} objects:

.sandworm.config.json
{
  "audit": {
    "licensePolicy": {
      "categories": [
        {
          "name": "Text Licenses",
          "licenses": ["CC-BY-3.0"]
        }
      ],
      "high": ["cat:Network Protective", "cat:Strongly Protective"],
      "moderate": ["cat:Weakly Protective"]
    }
  }
}

The default license category names are reserved. When using a default name in a custom category definition, the associated licenses are moved from their pre-assigned category to the specified one. For example, to move the CC-BY-3.0 license from Uncategorized to Permissive, you can use:

.sandworm.config.json
{
  "audit": {
    "licensePolicy": {
      "categories": [
        {
          "name": "Permissive",
          "licenses": ["CC-BY-3.0"]
        }
      ],
      "high": ["cat:Network Protective", "cat:Strongly Protective"],
      "moderate": ["cat:Weakly Protective"]
    }
  }
}

Within the default categories, a license can only be assigned to a single category. A license can, however, belong to multiple user categories.

Last updated

Was this helpful?