Managing license profiles and policies
Advanced Security is only available in SonarQube Server, as an add-on starting in Enterprise Edition.
To reduce legal risk and maintain a high level of security for your software, it’s important to ensure your project’s dependencies use licenses that comply with your organization’s policies.
As an administrator, SonarQube Server allows you to define license policies to warn developers about the use of prohibited licenses in their projects.
About license profiles
A license profile is a collection of policies that define which licenses are allowed or prohibited for the dependencies used in your projects.
Once configured, analysis will raise a dependency risk when a dependency with a prohibited license is detected in your projects.
Depending on how your software is built, deployed, and delivered to your users, you may have different licensing requirements for different projects in your organization. You can create multiple license profiles based on the needs of your applications, and assign projects to each individual profile as needed.
Creating a license profile
To define which licenses are allowed or prohibited, you must create a license profile. Note that you need the Administer Quality Profiles permission to perform this task.
When you create a license profile, you choose if it applies:
- to only the projects you select
- to all the existing and future projects of your instance, except the projects already assigned to a different profile.
To create a license profile:
- Go to License profiles > Create profile.
- Give your license profile a name.
- Select the scope of your license profile:
- To use it only on certain projects, choose Only the projects I select.
- To create a default profile that applies to all projects, choose Every project I should use should use this project by default.
Managing license profiles
You can edit your license profiles under License profiles > your license profile.
If your profile is applied to selected projects only, go to Projects using this profile > Manage to edit the list of projects that use this license profile.
Viewing the list of licenses
Licenses used in your projects are listed in the License profiles > Licenses section. You can search for licenses and filter them by category.
Each license in the list has a display name and an SPDX identifier based on the SPDX License List, a listing of common open source licenses.
By default, all the licenses are prohibited, see “Configuring license policies” below for more information.
About license categories
Each license has a category determined by Sonar based on Blue Oak Council’s categorization of licenses. The categories are as follows:
| License category | Description |
|---|---|
| Standard permissive | The most commonly used permissive licenses. They grant broad permissions to use and modify with very minimal obligations (primarily attribution) and have all the essential elements of permissive open source licenses. Examples: MIT and Apache software licenses. |
| Non-standard permissive | Permissive licenses that lack one or more essential elements of modern permissive open source licenses, or impose complex or confusing requirements. Many use unclear, jocular, or incomplete language and can be considered less legally predictable to use. |
| Weak copyleft | Weak copyleft licenses require sharing your changes and additions to the licensed software when you give copies to others. Examples: GNU LGPL and the Mozilla Public License software licenses. |
| Strong copyleft | In addition to the requirements of the weak copyleft licenses, strong copyleft licenses require you to share larger programs that you build with the licensed software when you give copies to others. Example: the GNU GPL license. |
| Network copyleft | In addition to the requirements of strong copyleft licenses, network copyleft licenses require you to share larger programs that you build with the licensed software not just when you give copies to others, but also when you run the software for others to use over the Internet or another network. Examples: the GNU AGPL and the Server-Side-Public License software licenses. |
| Maximal copyleft | Maximal copyleft licenses answer the question “When does the license require you to share?” differently than other families. Maximal copyleft licenses require you to share software you make with others, and to license that software alike when you do. Example: the Parity and Reciprocal software licenses. |
| Uncategorized | Nonstandard licenses that do not fit into the above categories. |
Configuring license policies
Once your license profile is created, you can configure license policies to define which licenses are allowed or prohibited in your license profile.
By default, all licenses are prohibited.
From the Licenses section, you can configure:
- individual policies, by assigning the Allowed or Prohibited policy to each license.
- default policies, by mapping each license category to the Allowed or Prohibited policy. Default policies don’t apply to uncategorized licenses.
To set default policies, go to Default policies > Manage and select Allowed or Prohibited for each license category.
It’s possible to override default policies with individual policies for each license.
Related pages
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
