License information
Understanding how dependencies are licensed is crucial, especially in commercial applications, because the license defines usage, modification, and sharing rights.
How Stacklok Insight reports license information
Stacklok Insight identifies license information from the package registry and the source code repository to surface all claims a package makes about its licensing. Along with a link to the full license text, Stacklok Insight reports the Blue Oak Council rating of the license and whether it is approved by the Open Source Initiative (OSI).
The Blue Oak Council is a non-profit organization that publishes software licensing information and guidance. A license is rated Gold, Silver, Bronze, or Lead according to the council's judgment of its permissiveness and legal rigor.
OSI-approved licenses comply with the Open Source Definition – in brief, they allow software to be freely used, modified, and shared.
In cases where the license information from the package registry and the source code repository are different, both licenses are listed. Stacklok Insight indicates the source of each identified license.
Multi-licensed packages
Some projects explicitly allow consumers to choose from more than one license. Such cases are represented using an OR operator, like "MIT License OR Apache License 2.0". In other situations, multiple licenses apply simultaneously to a package. These are represented using an AND operator, like "MIT License AND Apache License 2.0".