> For the complete documentation index, see [llms.txt](https://coky-t.gitbook.io/owasp-devsecops-verification-standard-ja/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://coky-t.gitbook.io/owasp-devsecops-verification-standard-ja/kdobirudo-codebuild-fzu/code-006-software-license-compliance.md). # CODE-006 ソフトウェアライセンスコンプライアンス (Software License Compliance) ## ソフトウェアライセンスコンプライアンス (Software License Compliance) | ID | | -------------- | | DSOVS-CODE-006 | ### 概要 Software license compliance is the process of ensuring that software applications, and the open-source components they depend on, are used in accordance with the terms of their respective license agreements. It is an important part of DevSecOps because it helps ensure that developers consume third-party software in a legal and ethical manner, while also preventing potential copyright or intellectual property infringements. Modern applications pull in large transitive dependency trees, and a single permissively licensed package can introduce a copyleft or otherwise restrictive license deep in the graph. By monitoring software license compliance, teams can be confident that third-party components are legally obtained, properly attributed, and free of obligations that conflict with how the application is distributed. License scanning also surfaces components with unknown or missing licenses, which often correlate with poorly maintained code and associated security risk. ### レベル 0 - オープンソースソフトウェアライセンスコンプライアンス解析を実施するためのツールがない At this level there is no capability to identify the licenses of the open-source components used in the application. Dependencies are added freely and their license obligations are unknown, so the organisation has no visibility into whether it is meeting attribution requirements or whether copyleft and other restrictive licenses have been introduced. License risk is effectively invisible and is only discovered, if at all, during legal disputes, acquisition due diligence, or customer audits. ### レベル 1 - オンデマンドスキャンを実行するツールを使用し、アプリケーションでサードパーティコンポーネントを使用する際にライセンス違反を特定している A license scanning tool is available and is run manually, typically by a developer or release engineer before pulling in a new dependency or preparing a release. The tool inventories the components in use and reports the license attached to each, allowing obligations and conflicts to be assessed against an approved policy. This is a clear improvement on Level 0 because license information becomes visible and decisions can be made deliberately. However, because scanning is on-demand and depends on someone remembering to run it, coverage is inconsistent. Results may not be recorded, and dependencies added between scans can slip through unnoticed. ```mermaid graph LR; Build-- License Scan -->Dependencies-->Results; ``` ### レベル 2 - ビルドパイプラインにサードパーティソフトウェアライセンスのスキャンツールを実装し、自動スキャンを実行し、ビルドのステータスをレポートしている License scanning is integrated into the build pipeline so that every build automatically inventories all direct and transitive dependencies and evaluates their licenses against the organisation's policy. The build reports the result, and a disallowed or unknown license can fail the build or raise a warning, providing fast and consistent feedback to developers. This removes the reliance on manual effort that limited Level 1. Because the scan runs on every build, newly introduced dependencies are caught automatically and policy is applied uniformly across all projects that use the pipeline, giving the organisation continuous and repeatable visibility of its license posture. ```mermaid graph LR; Build-- code push -->CICD-Pipeline-- License Scan -->Dependencies--License Results -->CICD-Pipeline; CICD-Pipeline-- Code Deployment -->Finish ``` ### レベル 3 - 発見された内容が自動的に一元管理された課題追跡システムに記録されており、ツールの有効性を定期的にレビューしている Level 3 builds on the automated pipeline scanning of Level 2 by routing all findings into a centralised issue tracking or governance system. Every license violation, policy exception, and remediation is recorded, tracked over time, and made available for reporting across the whole portfolio rather than living only in transient build logs. The organisation periodically reviews the effectiveness of the tool and its policy: it examines false positives, tunes the approved and denied license lists, validates that the dependency inventory (and any generated SBOM) is accurate, and confirms that obligations such as attribution are actually being met. This measured, continuously improved approach ensures license compliance scales with the organisation and adapts to new components and changing legal requirements. ```mermaid graph LR; Build-- code push -->CICD-Pipeline-- License Scan -->Dependencies--License Results -->Policy-Gate-- recorded -->Centralised-Issue-Tracker; CICD-Pipeline-- Code Deployment -->Finish ``` ## Notable Tools ⚠️ **Disclaimer** Apart from official OWASP Projects, the tools in this section have been chosen on the basis of their proven capabilities alone and there is no other relationship between the DSOVS project leaders and the creators or vendors who maintain them. If you have a suggestion for a notable tool please [💡 Suggest a Tool](https://github.com/OWASP/www-project-devsecops-verification-standard/discussions/categories/ideas) ### [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit) ScanCode Toolkit is a widely used open-source tool that detects licenses, copyrights, package metadata, and dependencies in source code and binaries. It is highly accurate, produces machine-readable output (JSON, SPDX, CycloneDX), and is well suited to building a detailed, auditable inventory of the licenses present in a codebase. [ GitHub Actions](https://github.com/nexB/scancode-toolkit) [name: scancode-license-scanon: pull\_request: push: workflow\_dispatch:jobs: scan: name: scancode runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.11" - name: Install ScanCode Toolkit run: pip install scancode-toolkit - name: Run license and copyright scan run: | scancode --license --copyright --package \ --json-pp scancode-results.json . - name: Upload results uses: actions/upload-artifact@v4 with: name: scancode-results path: scancode-results.json](https://github.com/nexB/scancode-toolkit) ### [Trivy](https://github.com/aquasecurity/trivy) Trivy is an open-source scanner from Aqua Security that, in addition to vulnerability detection, can scan project dependencies and report the licenses they use. It classifies findings by severity according to a configurable license policy and can fail the build when forbidden or restricted licenses are detected, making it a convenient single tool for combined license and security scanning. [ GitHub Actions](https://github.com/aquasecurity/trivy-action) [name: trivy-license-scanon: pull\_request: push: workflow\_dispatch:jobs: scan: name: trivy-license runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run Trivy license scan uses: aquasecurity/trivy-action@master with: scan-type: fs scanners: license severity: HIGH,CRITICAL exit-code: "1" path: .](https://github.com/aquasecurity/trivy-action) [ GitLab CI](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) [stages: - license-compliancetrivy-license: stage: license-compliance image: name: aquasec/trivy:latest entrypoint: \[""\] script: - trivy fs --scanners license --severity HIGH,CRITICAL --exit-code 1 .](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/gitlab-ci/) ### [FOSSA](https://fossa.com/) FOSSA is a commercial platform for open-source license compliance and vulnerability management. It provides automated dependency analysis, policy enforcement, attribution and notice file generation, and SBOM export, and integrates with CI pipelines to record findings centrally and report on license obligations across an organisation's portfolio. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://coky-t.gitbook.io/owasp-devsecops-verification-standard-ja/kdobirudo-codebuild-fzu/code-006-software-license-compliance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.