Manage licenses

Helm supports the ingestion of licensing information from CycloneDX and SPDX SBOMs, and enriches this information via our partnership integration with Tidelift. You can also manually enter or modify license details as needed.

For each dependency component, you can view its details or manually modify it to add licensing information. All licensing information displays in the License details section of the dependency component details panel.

Supported SPDX licenses

Ingest licenses from CycloneDX SBOMs

Helm populates license information from the following sections in a CycloneDX SBOM:

  • components > licenses: The primary source for license information. Each dependency component must include either a license ID, name, or SPDX expression.

  • components > pedigree > notes: This will be populated into the License comments field. Because this notes field applies to all components in a CycloneDX SBOM, the information in this field will be applied to all licenses for a particular dependency component.

Helm does not support license information populated from other sections of a CycloneDX SBOM. Any such information will be retained in exports but ignored in the UI.

Ingest licenses from SPDX SBOMs

A SPDX SBOM contains packages, each of which could be a file or set of files, grouped by the SBOM author. These files could be one or more files of any type including but not limited to source, documents, binaries, etc. Helm processes each package as a dependency component. A SPDX SBOM can contain licensing information at the package, file, or even code snippet level. For every package that contains licensing, Helm populates that license information into the dependency component's details in the Licenses section.

Helm processes each package as a dependency component and populates license information from the following fields:

  • PackageLicenseConcluded: The primary field for populating the license name. If missing, Helm will use the PackageLicenseDeclared field.

  • ExtractedLicensingInfo: If present, this section provides license names and text for custom or non-SPDX licenses. When a custom license is added, you can manually enter the license name, but the URL will not display.

Helm does not currently handle file-level licensing. If you need this, let us know! If your SBOM includes file-level license information, it will be included in the export but not displayed in the UI.

SPDX spec version

Although Helm supports SPDX 2.2 and 2.3, this article uses the SPDX 2.3 spec with license list 3.17. Helm supports SPDX license exceptions, deprecated SPDX license IDs, and all version lists.

If your SPDX version or license list version is different, SBOM section names or field names may differ, you should check your particular SPDX spec version.

Identify and automatically add missing licenses

Helm has partnered with Tidelift to enrich license information for open-source components that lack licensing details:

  • Component license is set to No license (NONE in SPDX): If a dependency component in your SBOM lacks a license but has a unique PURL or Helm can generate the correct PURL, Helm will check with Tidelift to determine if any licenses are associated with that component. If so, Helm will add those licenses to provide you with a comprehensive view of licensing info and identify licensing risks across your supply chain.

  • Component license is set to Unknown (NOASSERTION in SPDX): If your SBOM component license is set to Unknown (NOASSERTION in SPDX), but Tidelift indicates that there is one or more licenses associated with that component, we will add those licenses for you.

  • Component has one or more licenses: If your SBOM component has at least one license, but Tidelift shows that it is inaccurate or that there are additional licenses associated with this component, we will not update this license information. If this is something that you would like us to add, let us know.

If you'd like us to consider adding the ability to prompt you with license replacement suggestions, let us know.

Automatically generate a license for an existing component

For existing components, you can have Helm automatically add license information. In the Components table, click Actions > Reload component. Note that reloading will discard any metadata you may have added to this component, such as review information, and will re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

View license information

The Licenses section of the component details panel displays the following fields:

License type: This field is populated from the license information in your SBOM.

  • License expression:

    • For components combining multiple SPDX licenses with AND or OR, or using a SPDX license exception.

    • Individual licenses: If your SBOM component contains multiple SPDX licenses that are not combined with AND or OR (or +) or if your component has custom licenses, choose this option.

    • No license (NONE in SPDX): If you are certain that your SBOM component does not have an associated license, choose this option. In a SPDX SBOM, this is indicated with the NONE value.

    • Unknown (NOASSERTION in SPDX): If you are not sure whether your SBOM has an associated license, choose this option. In a SPDX SBOM, this is indicated with the NOASSERTION value. In a CycloneDX SBOM, if your SBOM does not contain licensing information or licensing info is empty, it will display as Unknown

  • Individual licenses: For components with multiple SPDX licenses not combined, or for custom licenses.

  • No license (NONE in SPDX): The component has no associated license. In a SPDX SBOM, this is indicated with the NONE value.

    • CycloneDX SBOM: There is no corresponding value for this in CycloneDX 1.4 or 1.5 specs. If you manually add this for a license, then export your CycloneDX SBOM, the licensing information for this component will have this value in the components > licenses > license name field.

    • SPDX SBOM: Indicates that the SPDX SBOM author provided NONE as the package-level license information. The SPDX spec requires that when the info is not provided, it be set to NOASSERTION.

    • For open-source dependency components, Helm will attempt to identify if there actually is an associated license for you.

  • Unknown (NOASSERTION in SPDX):

    • Use this if you are unsure whether the component has an associated license. For open-source dependency components, Helm will attempt to identify this license for you.

    • SPDX SBOM: Indicates that the SPDX SBOM author provided NOASSERTION or did not provide package-level license information.

    • CycloneDX SBOM: Indicates that the CycloneDX SBOM did not contain any licensing information or the licensing information was empty.

License name:

SPDX SBOMs

For SPDX SBOMs, this field is populated from the SBOM’s PackageLicenseConcluded, PackageLicenseDeclared, or ExtractedLicensingInfo sections. PackageLicenseDeclared will only be used if PackageLicenseConcluded field in the SBOM is blank or omitted.

  • If the package-level licensing has a LicenseRef[idstring] and that LicenseRef[idstring] matches one in the ExtractedLicensingInfo section, the license name and full license text will be populated from that section into License name and License text, respectively. If the license name is missing, the term Custom license will be used as the license name.

  • Non-SPDX license in your SPDX SBOM: If your SPDX SBOM contained the ExtractedLicensingInfo section, the License name field will be populated with the corresponding license name from ExtractedLicensingInfo > name field.

  • SPDX SBOM has NONE or NOASSERTION in the package: If the PackageLicenseConcluded field contains NONE or NOASSERTION, that value will be populated here. If the component is open-source and has a unique PURL, then we will check whether there is license information for that component and if so, enrich it with the missing information.

  • SPDX SBOM contains no package-level licensing information: NOASSERTION will be populated into the License name field.

  • SPDX licenses combined with +: We do not currently support adding licenses combined with a +, such as Apache-2.0+MIT. However, we will import it from your SBOM. However, if you need to edit this, Helm will automatically convert the + expression to use AND. If you need support for +, let us know!

  • SPDX license exceptions: If you need to add a SPDX license exception, type WITH after your first SPDX license, such as GPL-2.0-or-later WITH Bison-exception-2.2. Make sure to observe spacing. After you type WITH, followed by a space, then you can either click the drop-down to view only valid SPDX license exceptions or start typing to filter the exceptions.

CycloneDX SBOMs

  • This field is populated from the components > licenses > license > id field if the id field in used in the SBOM, or the components > licenses > license > name field if it exists.

  • CycloneDX SBOM does not contain licensing info or licensing info is empty: Since there is no corresponding defined term for missing CycloneDX licensing information, this will show as Not set.

License URL:

  • For SPDX licenses, this field is automatically populated from the SPDX license list and is uneditable.

  • The URL does not display for custom licenses. If this is something that you would like us to add, let us know.

  • CycloneDX SBOM: This is populated from the components > licenses > license url field.

License text:

  • SPDX SBOM: For custom licenses, this will be populated from the ExtractedLicensingInfo > text section of SPDX SBOMs.

  • You can add or modify license text for both SPDX and custom licenses.

License comments:

  • SPDX SBOM: This is only populated from the package-level PackageLicenseComment field.

  • CycloneDX SBOM: There is at least one SPDX license ID in the components > pedigree > notes field. Some automatic scanning tools will automatically populate either the SPDX license full name or an AND/OR SPDX expression here. If the notes field exists in your SBOM file, it will be added as License comments for all of the licenses for that particular SBOM component.

  • You can add or modify license comments for both SPDX and custom licenses.

  • Comments are applied to all licenses associated with a dependency component.

License source:

  • SBOM: The license information was populated directly from your SBOM.

  • System: For open-source components that have unique PURLs but do not have license information, Helm checks Tidelift to determine if there are known licenses for those components. If so, Helm enriches the component with that information. Helm will only enrich license information for components that do not have any license information; it will not add licenses to components that already have one or more licenses, nor will it replace existing licenses.

  • User: License was added or modified by a user.

What does it mean to have a unique PURL?

A component's unique PURL could be either the original PURL for that component that was in your SBOM file, or a PURL that Helm added or enriched during the component matching process.

Add component license

  1. Click Add dependency component from the Add SBOM (Manage SBOMs) drop-down button.

  2. Specify the required fields.

  3. In the License details section, select a License type. Choose License expression if you have one or more SPDX licenses in an expression (e.g., connected with AND, OR, or WITH) or Individual licenses if you have one or more SPDX or custom licenses (not in an expression) that you want to add to a component. You can also select Unknown or No license.

  4. If you're adding a license expression, click the License expression drop-down to show the SPDX license list or start typing to filter the list. You can use AND, OR, or WITH. For example, typing Ap would give you applicable Apache licenses for the first half of the expression, while typing Apache-2.0 AND MI would give you any available MIT licenses for the second half. Make sure to observe spacing.

  5. If you want to add a nested expression, such as MIT AND (LGPL-2.1-or-later OR BSD-3-Clause), type ( to display the SPDX license list or start typing to filter the list. Note that the expression in the parentheses will be processed first.

  6. If you want to add a SPDX license exception, type WITH after the license, then select the exception from the drop-down (e.g., GPL-2.0-or-later WITH Bison-exception-2.2). Make sure to observe spacing.

  7. If you're adding one or more individual licenses, click the License name drop-down to show the SPDX license list, start typing to filter the list, or keep typing to enter a custom license.

  8. If you need to clear a license value, click the x icon in the field.

  9. If you need to remove a license before you've saved, click Remove in the license section.

  10. For individual custom licenses, specify any license text. You cannot add text for a SPDX license.

  11. Add any license comments in the License comments field. License comments will be associated with all licenses for that component.

  12. For individual licenses, click Add another license to add a new license. You cannot add individual licenses to a License expression. You can add as many licenses as you want. Your first license will show License 1, then your second will show License 2. When you save, these section names will change to the license name or expression itself.

  13. Click Add component. You'll see a success message. If you don't see your component, you may have a sort applied.

Edit component license

  1. Click Actions > Edit details to open the component details.

  2. In the License details section, click Edit in the license section you want to edit.

  3. If you just want to edit license type, license text or license comments, click the edit icon next to that field. Any edits you make to the license comments will be applied to all other licenses for this component.

  4. Make any changes, then click Save changes. You'll see a success message. If you don't see your component, you may have a sort applied.

Delete component license

  1. Click Actions > Edit details to open the component details.

  2. In the License details section, click Edit in the license section you want to edit. This will display a Delete action.

  3. Click Delete, then confirm the deletion. You cannot recover a deleted license or its related data. If you are deleting the only license associated with this component, this will also delete any license comments.

  4. Click Close. The deletion has already been performed and cannot be cancelled. You'll see a success message. If you don't see your component, you may have a sort applied.

Deprecated licenses:

You can ingest or manually add or edit deprecated SPDX licenses. Deprecated SPDX licenses are available in the Deprecated licenses section of the License type drop-down.

Filter component icenses

You can filter licenses on the SBOM page to narrow down your view:

  • SPDX license ID

  • No license (NONE for SPDX)

  • Unknown (NOASSERTION for SPDX)

Export SBOM with license information

You can export your SBOM with enriched license information in the following formats. Click Reports in the sidebar, then select your preferred format.

  • FDA SBOM: Excel format.

  • Vulnerability Disclosure Report (VDR): JSON format. Missing license information will be noted as Unknown (NOASSERTION in SPDX) in the export.

  • CycloneDX SBOM: JSON format. Missing license information will be noted as Unknown (NOASSERTION in SPDX) in the export.

  • SPDX SBOM: JSON or XML format. Any file-level licensing details will also be included in the export, though they will not display in the Helm UI.

  • CSV format: Export your SBOM data, including CPE/PURL and license information, as a CSV file.

Last updated

© Copyright MedCrypt 2024, All rights reserved.