License Scanning
The Q2Developer pipeline scans Python and JavaScript dependencies for license compliance on every merge request.
Overview
License scans run in two modes:
Restricted - Fails the pipeline if blocked licenses are found
Warning - Warns but does not block if concerning licenses are found
Python License Scanning
Uses pip-licenses to scan installed Python packages.
- pip-license-scan-restricted
Installs dependencies from
requirements.txtand fails if any package uses a license in$BLOCKED_LICENSES. Producespip-licenses.jsonartifact.- pip-license-scan-warning
Warns if any package uses a license in
$WARNING_LICENSES. Allowed to fail.
JavaScript License Scanning
Uses license-checker to scan Node.js dependencies.
- js-license-scan-restricted
Scans all
package.jsonfiles (excludingnode_modulesand.yalcdirectories). Automatically detects the package manager (pnpm, yarn, or npm). Fails if any package uses a license in$BLOCKED_LICENSES.- js-license-scan-warnings
Warns if any package uses a license in
$WARNING_LICENSES. Allowed to fail.
Blocked License Policy
Certain licenses are blocked due to legal risk, copyleft obligations, commercial restrictions, or unclear licensing terms.
Blocked Licenses
AGPL-3.0, AGPL-3.0-or-later
Apache-1.1
Artifex-Commercial
AAL
CC-BY-SA-2.0, CC-BY-SA-3.0, CC-BY-SA-4.0
CC-BY-NC-ND-4.0
GFDL-1.1-only, GFDL-1.2-only, GFDL-1.3-only
IPA
MS-RL
OSL-1.1, OSL-3.0
VOSTROM
Why Licenses Are Blocked
Risk Category |
Examples |
Why It’s Blocked |
|---|---|---|
Strong Copyleft |
AGPL, OSL |
Requires releasing your source code if users interact with the software over a network. High legal exposure for SaaS products. |
Share-Alike |
CC-BY-SA |
Derivative works must use the same license, limiting how code can be distributed or commercialized. |
Non-Commercial |
CC-BY-NC-ND |
Prohibits commercial use entirely, incompatible with business applications. |
Obsolete / Risky |
Apache-1.1 |
Older license versions with ambiguous terms or known legal issues. |
Rare / Unrecognized |
VOSTROM, IPA |
Uncommon licenses that haven’t been vetted by legal, creating unknown risk. |
Documentation-Only |
GFDL |
Designed for documentation, not code. Can create complications when bundled with software. |
Proprietary / Commercial |
Artifex |
Requires paid licensing for commercial use. |
Reciprocal Source Release |
MS-RL |
Requires source release for any file containing licensed code, even if modified. |
Warning Licenses
These licenses are evaluated on a case-by-case basis and are strongly reviewed if the associated package is distributed (HTML, CSS, etc.).
Licenses Requiring Review
Artistic-1.0, Artistic-2.0
CC-BY-3.0
CDL-1.0
CDDL-1.0, CDDL-1.1
CPL-1.0
EPL-1.0, EPL-2.0
EUPL-1.1, EUPL-1.2
GPL-1.0-or-later, GPL-2.0, GPL-3.0
GraalVM-Free-Terms
Innovatrics-Proprietary
LGPL-2.0, LGPL-2.1, LGPL-3.0
MPL-1.0, MPL-2.0
NVIDIA-Proprietary
OFL-1.1
Proprietary
SISSL
Why These Require Review
Category |
Examples |
Considerations |
|---|---|---|
Strong Copyleft |
GPL variants |
May require source disclosure depending on how the software is linked and distributed. |
Weak Copyleft |
LGPL, MPL, EPL, CDDL |
Generally safe for dynamic linking but requires review for static linking or modifications. |
Older / Ambiguous |
Artistic-1.0, MPL-1.0 |
Older versions may have unclear terms; newer versions often preferred. |
Content Licenses |
CC-BY-3.0, OFL |
Appropriate for fonts and assets but may have attribution requirements. |
Rare / Uncommon |
CDL-1.0, SISSL |
Less common licenses that require individual legal review. |
Vendor Licenses |
GraalVM, NVIDIA |
Vendor-specific terms that may restrict redistribution or usage. |
Proprietary |
Innovatrics, Proprietary |
Requires verification of existing license agreements. |
Requesting an Exception
Developers may submit an exception request for a blocked license. Requests are evaluated by Q2’s Security and Legal teams for potential impact.
Exceptions should be a last resort when an alternative package with a permissive license cannot be found. Requests must include justification for why the dependency is necessary and why alternatives are not viable.