Versions Compared

Old Version 1

changes.mady.by.user Marcin Wolski

Saved on

compared with

New Version Current

changes.mady.by.user Anđela Arsović

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
titleSoftware Licensing Certificates Series

This certificate verifies that a software project in active development has identified and internally assessed all direct dependencies and other third-party intellectual property for licence compatibility and critical vulnerabilities. It represents an initial stage of licence governance and compliance, achieved through internal verification.

It does not replace the analysis of transitive dependencies, the selection of the project’s own licence, or imply distribution rightsThis certificate confirms that your project was developed following good development practice.

It requires your team to self-evaluate key points about dependencies, licences, and security.

You may use this document as a checklist template for your project's project’s certification process.

Initial Steps

...

  •  Document all directly used external libraries and code (having an internal list is mandatory, and it may be made public).
  •  Document licences of these libraries and code (in the same list).
  •  Confirm that all direct dependencies are under valid open source or proprietary licences.
  •  Ensure that all these licences are mutually compatible for use in your software.
  •  Review each direct dependency for known critical security vulnerabilities (you can use the GÉANT-provided SCA and review services, or CVE or NIST databases), and capture vulnerability details in a SCA report or internal document.
  •  Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets (may be recorded in the NOTICE file).
  •  Information

    Record information on direct dependencies and third-party IP (name, version, licence)

    recorded

    in a README, NOTICE, or in an internal document

    , available on request with vulnerability details

    .

  •  Register the project in the GÉANT Software Catalogue.

Certification Process

...

  •  Internal list of direct dependencies and licences, their licences, and vulnerabilities, available upon request

Consider drafting producing public artefacts based on available templates. Having them is good practice – a README is a starting point for documented and licensed software.:

  •  README – Optional, but it is good useful to capture basic information about the software early; it is the starting point for documented and licensed software
  •  NOTICE Also optionalOptional, but required if legal notices and or attributions for third-party components may be requiredare mandated by dependency licences

Governance

Upon approval, your project will receive the Self-Assessed Dependencies Certificate, which will be visible atcertificates.software.geant.org and in the GÉANT Software Catalogue.

Keep dependency, licence, and vulnerability data up to date. Review new or changed dependencies and monitor for newly discovered vulnerabilities or licence conflicts.

The certificate is valid for five years, covering all released versions within that period, if provided issues are promptly addressed.

...