Jit Announces Open Source License Detection and Tracking
Updated March 25, 2024.
Earlier this year Jit announced Software Bill of Materials, which catalogs every open source component in your codebase – making it easy to understand if you are using an open source component that is impacted by a newly disclosed security vulnerability.
With our new release of Open Source License Detection, you’ll also be able to detect the associated license of each open source component in your codebase.
Open source components licensed under GPL, EUPL, and other copyleft licenses can introduce legal risks when used in commercial applications. When copyleft-licensed open source components are incorporated into a codebase, the licenses require that the entire codebase be published as open source as well.
This can pose serious legal risks for development teams that may accidentally use a copyleft-licensed open source component in their proprietary codebase, without realizing the legal implications.
To help our customers rest easy knowing they aren’t using any copyleft licenses, our automated Open Source License Detection and tracking product lists the associated license alongside every open source component in their codebase.
Unlike traditional open source license compliance solutions, Jit automatically scans every PR for copyleft licenses, making it easy for developers to catch potential license violations before their code is merged.
As a result, Jit Open Source License Detection automatically and continuously protects your codebase from noncompliant packages. Combined with Jit’s SBOM, you can generate reports and drill down to specific package usage to fully guard against open source vulnerabilities and copyleft licenses.
How Jit’s Open Source License Detection and Tracking Works
To begin with Jit’s Open Source License Checking, go to the Jit Max Security Plan and scroll down to the “Scan your code for license violations” item. Hit “Activate”
This will automatically scan every repo connected to Jit, which you can define in your “Settings” tab.
Analyze the Results of Open Source License Scanning
To see the results of the scans, go to the backlog tab – here you’ll see every license that is out of compliance with your defined policy (more on editing your open source license detection policy below).
As you can see in the right of the screenshot, you can click into each dependency to learn about the risks of the specific license. Rather than hunting down the location of each open source component in violation, Jit will tell you which repo the open source resides in, down to the line of code.
As a default setting, Jit will automatically highlight all GPL and EUPL licenses, which have restrictive permissions regarding how the open source can be used.
Continuously Scan Every PR to Block Copyleft Licensed Open Source Early in the SDLC
Activating the “Scan your code for license violations” policy isn’t just a one off scan. Rather, for each connected repo, Jit will scan every PR as it is created to surface open source licenses out of compliance with your defined policies.
In the example below, Jit surfaces a GPL-licensed open source component in the PR, so that developers will know not to merge the new code before making a fix.
This makes it easy for developers to stop copyleft licenses from merging with the codebase from the very start. To be safe, you can also configure Jit to schedule your entire codebase on a schedule to catch any copyleft licensed open source that fell through the cracks.
Customize Your Open Source License Detection Policy
Jit’s license compliance policy is based on a deny-list – every open source license specified in this list will be flagged as an issue.
Sticking with Jit’s core approach, you can edit the deny-list as code by modifying the jit-config.yml file located at User's organization/.jit/.jit/jit-config.yml.
As mentioned earlier, all GPL and EUPL licenses are automatically flagged by default.
To edit this configuration, simply add the name of the license to the yaml file to add new licenses to the deny-list. Wildcard () can be employed to match licenses that contain a specific string. For instance, Apache matches licenses like Apache-2.0, L-Apache, etc. The yaml is not case sensitive.
Getting started with Jit Open Source License Detection
To get started with Jit’s Open Source License Detection – along with our full suite of security controls that include SAST, SCA, secrets detection, IaC scanning, CI/CD security, CSPM, DAST, and more – simply install the Jit app on GitHub via the GitHub marketplace.
From there, you can connect with all your repos to automatically scan your entire codebase, while also implementing continuous scanning to highlight issues in every PR.