License - knowlesy/AZ400 GitHub Wiki

License rating

Licenses can be rated by the impact that they have. When a package has a specific type of license, the use of the package implies keeping to the requirements of the package. The license's impact on the downstream use of the code, components, and packages can be rated as High, Medium, and Low, depending on the copy-left, downstream, or attribution nature of the license type. For compliance reasons, a high license rating can be considered a risk for compliance, intellectual property, and exclusive rights.

Package security

The use of components creates a software supply chain. The resultant product is a composition of all its parts and components. It applies to the security level of the solution as well. So, like license types, it's essential to know how secure the components being used are. If one of the components used isn't secure, then the entire solution isn't either.

From https://learn.microsoft.com/en-gb/training/modules/implement-open-source-software-azure/7-examine-license-implications-ratings

Mend extension

• Mend automatically detect all open-source components—including their transitive dependencies—every time you run a build.

• Mend automatically generates an alert and provides targeted remediation guidance when a new security vulnerability is discovered.

• Mend automatically approves, rejects, or triggers a manual approval process every time a new open-source component is added to a build.