Sonatype’s Advanced Legal Pack (ALP) is an add-on to Nexus Lifecycle (release 108 and higher) that helps your organization streamline open-source software (OSS) license compliance, mitigate license risk, and expedite feedback between legal and development teams.
OSS Legal Obligations
OSS no longer affects only Development and Security teams. There are many people involved with minimizing OSS risk, and the best way to maintain and manage risk is to take all roles into account. The ALP helps Legal and Development teams work together to streamline OSS license compliance by automating manual tasks and providing automated legal workflows.
The use of OSS components is typically governed by license terms, each license with its own freedoms and restrictions. If developers want to use a certain component, they must comply with the license terms, which require legal analysis of every component’s license. If you choose to not review or ignore license terms, your company might be forced to publicly release all code for that application or pay large license fees.
Even more, there are international standards, like OpenChain, that require vendors to provide legal data and processes to manage legal obligations. In addition, more digital marketplaces, like Google’s Cloud Marketplace, require legal data before allowing the sale of an application.
Figure 1: ALP Extension Data
The ALP provides this legal data by automating the collection, compilation, and reporting of OSS legal obligations to drastically improve team productivity and eliminate manual work—saving Legal and Development teams thousands of hours on manual work each year.
Previously, we offered the License Obligation Review Tool (LORT) for legal professionals, which provided a curated database of open source license obligations across multiple license categories, types, and threat groups. The LORT tool, plus our new ALP data, workflows, and guidance, are all available in the Advanced Legal Pack—letting you get the value of both LORT and ALP in one pack.
By automating the collection, compilation, and reporting of legal data, you can improve the productivity of your entire organization. Using the capabilities available in the ALP, your team will be able to:
- Spend time fixing problems versus searching for them. Development teams receive instant feedback on high-risk component licenses and are guided to alternative, less risky components.
- Reduce license compliance risk with automated OSS license compliance—automatically prevent code from being deployed if it doesn’t meet policy requirements.
- Reduce time spent on license compliance risk management.
- Eliminate manual reviews and automate license reviews for every OSS component, leaving your Legal resources free to work on higher priority issues.
- Obtain a central inventory of all OSS components, their applicable license, and compliance obligations that can be used for Legal and audit reviews.
Compliance at Speed
Building on the robust LORT features currently available in Nexus Lifecycle, the Advanced Legal Pack adds the following capabilities:
Figure 2: ALP Capabilities
Extended Legal Data
- Over 1500+ licenses cataloged including commercial and OSS licenses, with a complete breakdown of legal obligations.
- Additionally, we provide extended legal data which is any data related to a component that can be used to make legal decisions or fulfill legal obligations.
- Examples include notice texts, license texts, and copyright statements, which are required to be preserved or attributed in many liberal licenses.
- ALP automates the collection of all copyrights, required notices, and license texts identified in a given OSS component for Sonatype’s premium ecosystems.
Legal Compliance Workflow
- ALP’s legal compliance workflow makes it easy for legal reviewers to examine the extended legal data and fulfill legal obligations.
- When a reviewer decides that an obligation has been fulfilled, that work can be saved at the global, organization, or application level to ensure that future uses of the same component benefit from the same review.
- ALP’s workflow provides obligation management in compliance with industry standards.
Attribution Report Generation
- Automated generation of attribution reports that comply with 90+% of OSS license obligations.
- Customize and edit attribution reports, including the option to save attribution and obligation resolutions on a per component or per license basis.
- Attribution data can be used to fulfill cloud marketplace legal requirements or be provided to other third-party vendors.
The capabilities included in the Advanced Legal Pack are not available as core Lifecycle features. This is an add-on with an additional cost, available in Lifecycle release 108 and higher. To gain access to the capabilities in the ALP, please contact your Sonatype Sales or Customer Success Representative.
Accessing ALP Capabilities
After logging into Lifecycle, select the Legal tab from the navigation menu.
Figure 3: Legal Tab in navigation menu
From here, you will be able to manage your legal obligations and attributions via the Legal Backlog. The Legal Backlog provides a list of your applications with information on the last scan, application categories, and the components reviewed. Use the filters on the left to narrow your results by organization, application, application category, stage, or review progress.
Figure 4: Legal Backlog screen
Selecting an application from the table takes you to the Application Legal Details page. Here, you will see a list of all components in your application, and view details on their licenses, completed obligations, and review status. This is also where you can create an Attribution Report for the selected application.
Figure 5: Application Legal Details screen and Attribution Report
Selecting a component from the list takes you to the Component License Details page. The top portion of the screen gives you an overview of your review progress and other license details. The remainder of the screen is where you will review your license obligations, and add or edit copyright statements, notice texts, license texts, and attributions.
Figure 6: Component License Details screen
Now that you know how to access the capabilities of the ALP, let’s take a look at some ways this information can help you be successful.
Most legal teams don’t currently have a tool to support their work and rely on manual processes to manage compliance and licensing. The ALP automates and reduces these manual, time-consuming tasks. See below for some examples:
|Scenario||Lifecycle Workflow||ALP Workflow|
|As a release manager/legal reviewer, I’m being asked to provide an attribution report meeting the obligations of our OSS dependencies.||1. Export raw legal data out of Lifecycle as a CSV.
2. Spend upwards of 60 hours collecting data for a single application.
|1. Automatically collect the required legal data
2. Edit that data, as needed
3. Use a form to generate an attribution report
|As a legal reviewer, I’m being asked by a third-party organization to provide extended legal data about components my development teams would like to use for approval.||No Lifecycle workflow. Alternative: Download the component and use Grep, or a third-party tool, to try and collect the data.||1. Select a component from the list of obligations
2. Export the extended legal data
|As a legal reviewer, I would like more information about components with a Non-Declared, See-License, or Non-Standard license detection.||No Lifecycle workflow Alternative: Download the component and use Grep, or a third-party tool, to try and collect the data.||1. Select a component from the list of obligations
2. Check the extended legal data for potential detections that Lifecycle is not able to perform
The Bottom Line
The biggest benefit of the ALP is time savings. We do this by automating and eliminating manual reviews for every OSS component license—leaving legal resources more time to work on other issues. The ALP also provides a central inventory of all components, their license type, and license obligations are available for legal and audit reviews. Finally, Development teams receive instant feedback on risky component licenses and are guided to alternative, less risky components when legal policy violations are flagged.
Talk to Us
And visit my.sonatype.com for all things Sonatype.