Versions Compared

Old Version 1

changes.mady.by.user Marcin Wolski

Saved on

compared with

New Version Current

changes.mady.by.user Anđela Arsović

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
titleSoftware Licensing Certificates Series

This certificate confirms that your project was developed following good development practicea software project has all direct and transitive dependencies identified, verified for licence compatibility and critical vulnerabilities, documented, and reviewed by the Licence Management Team, without addressing the software’s own licence or compliance artefacts.

It requires your team to internally evaluate key points about dependencies, licences, and security, and to provide verification material assess all dependencies and third-party intellectual property, prepare verification material, and provide it to the Licence Management Team for review.

The certificate builds on the Self-Assessed Dependencies Certificate by adding thorough verification, inclusion of transitive dependencies, and submission of evidence.

You may use this document as a checklist template for your project's certification process.

...

Aligned with Self-Assessed Dependencies Certificate

  •  Document all direct and transitive external libraries and code (an internal list is mandatory, and it may be made public).
  •  Document licences of these libraries and code (in the same list).
  •  Confirm that all direct and transitive dependencies are under valid open source or proprietary licences.
  •  Ensure that all these licences are mutually compatible for use in your software.
  •  Review each direct and transitive dependency for known critical security vulnerabilities (you can use the GÉANT-provided SCA and review services), and capture vulnerability details in a SCA report or internal document.
  •  Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets (may be recorded in the NOTICE file).
  •  

    Record information on direct dependencies and third-party IP (name, version, licence) in a README, NOTICE, or only in an internal document.

  •  Register the project in the GÉANT Software Catalogue.

Additional Requirements

  •  Document all external libraries and code used in the project, including transitive ones (having an internal list is mandatory, and it may be made public)
  •  Document licences of all external libraries and code used in the project (in the same list) 

Certification Process

  • Extend first four points from Self-Assessed Dependencies Certificate requirements with transitive dependencies.

Certification Process

  •  Address all dependency vulnerabilities and licence incompatibilities
  •  Send a request to the the Licence Management Team, including:
    •  SCA results report or a reference to the GÉANT SCA service performed
    •  Third-party IP details, if any
    •  Any supporting documentation, such as internal reports describing third-party components, their versions, licences, and vulnerabilities
  •  Provide clarifications or and perform remediation if requested by the Licence Management Team.
  •  Update dependency records and documentation as needed.
  •  Reference the certificate in your documentation, metadata, project page, or communications.

See Contact Us for information on how to communicate with the Licence Management Team.

Artefacts

  •  Internal Up-to-date list of all dependencies and licences (with licences and security status, including transitive ones), based on SCA tool results

Consider drafting public artefacts based on available templates. Having them is good practice – a README is a starting point for documented and licensed softwareThese files are reviewed and amended as part of the SLA Service.

  •  README – Optional, but it is good useful to capture basic information about the software early; it is the starting point for documented and licensed software 
  •  NOTICEAlso optionalOptional, but required if legal notices and or attributions for third-party components may be requiredare mandated by dependency licences

Governance

Upon approval, your project will receive the Verified Dependencies Certificate, which will be visible atcertificates.software.geant.org and in the GÉANT Software Catalogue.

Keep dependency, licence, and vulnerability data up to date. Review new or changed dependencies and monitor for newly discovered vulnerabilities or licence conflicts.

You may integrate continuous dependency and licence scanning (e.g. through CI/CD pipelines) to detect issues early and maintain long-term compliance.

The certificate is valid for five years, covering all released versions within that period, if provided issues are promptly addressed.

Reassess and submit a renewal request before the five-year validity ends, or sooner if there are significant changes (e.g. , component replacement under a different licence, or inclusion of new components).

...

Further details are available in the the Detailed Guide: Verified Dependencies Certificate.