reportingopen-sourcesnyk

Does Snyk offer management for Open Source License Compliance? If yes, is it possible to generate reports based on the licences being used?


Does Snyk offer management for Open Source License Compliance? If yes, is it possible to generate reports based on the licences being used?

I was wondering if Snyk is able to offer any management and reporting capabilities to check compliance for the open source licenses in my code.


Solution

  • First and foremost, Snyk is able to handle many various Open Source licences (380+), but Snyk doesn't provide legal advice on which licences can and can't be used in a production environment.

    The official Snyk documentation in connection with Snyk License Compliance Management can be read here.

    Open Source License Compliance can be set up on the Snyk-Group level [Policies >> License policies], and is enabled on the Enterprise plan. After configuring a license policy, you can decide which organisations or project attributes you want to use it with (you can also specify either multiple organisations or multiple attributes).

    It is also possible to modify/change the severity of a particular license, or add a new license instruction for your Developers.

    Snyk Custom OS License Policies

    Where can I see/find the License Issues?

    1. On the "Issue Cards" of Open Source Manifest Files (and also Lock-Files) - this one has the "smallest radius", licenses for a manifest file are displayed: License issues related to a given OS package

    2. On the Snyk-Organisation level: All OS licenses and license issues from all your dependencies in a given Snyk organisation can be displayed and exported into a CSV-file. You can either choose the [Dependencies Tab >> Licenses]: Licenses being used in your dependencies

    Or set the following on the new reporting page [Reports >> Add filter: Issue Type >> License]. The results can be exported into a CSV or PDF-file. License issues related to a Snyk-Org

    1. At the group level: This is how we can all view all License Issues across all Snyk Organisations (It works similar to 2 above)

    2. With the Snyk API (using this endpoint): in this case we get a .json output (if we further configure the filters payload, we can adjust the list of findings). Also dependencies using dual-licenses can be exported. e.g.: Export license issues with the Snyk API

    3. For several companies and Developers may also be relevant to display not only the licenses, but also the dependencies together with the license texts. In this case we can call the snyk-licenses-texts tool for help and create such reports: License issues: dependencies, copyrights, projects in Snyk and License texts

    4. Last but not least - we also have the option to use the Snyk CLI in basically any kind of pipelines. In this scenario we can leverage the snyk-to-html tool and generate html-files (pipeline artefacts) for our Open Source, Container, IaC or Code projects. As part of the Open Source report, we can also see license issues: License issue in the generated html-file