Resources Blog How to Use Nexus Lifecycle for License Obligation Review

How to Use Nexus Lifecycle for License Obligation Review

In less than two minutes we demonstrate how to scan applications for license obligations in this episode of DevSecOps Delivered.

License Obligation Review Tool 

Here I am in my IQ Server, at a software bill of materials. I want to learn more about licenses, so, I will go to lort.cx.sonatype.com, which is accessible once you are a customer of Sonatype.

I can see here that there are nearly 1,400 valid licenses and they’re also sorted by the worst offenders. So if I want to see the worst offenders, for example, AGPL, I can start to click in here which will take me to the exact section of the license text that is relevant.

Specific License Reports

But what happens if I want to look at the licenses for a specific report? I can import licenses from a scan. I’m going to fill in the URL, credentials, application ID, which is in this case, is sandbox-application, and the Report ID. Each report has a unique ID, which I can take from the URL. 

Once I press “Retrieve Scan” results, I can see this number has changed to 23 relevant licenses are discovered. Similarly, I can click in and see the license text on the right. I can also create a License Attribution Report. And here, for my app I can see all the licenses and components affected. 

Picture of Stefania Chaplin

Written by Stefania Chaplin

Stefania Chaplin was a Solutions Architect at Sonatype. She was responsible for helping customers understand and implement DevSecOps across the EMEA region. Stefania has a history as a Python/Java developer and enjoys the challenge of improving the quality of software across different languages and ecosystems.