Versions Compared

Old Version 1

changes.mady.by.user Marcin Wolski

Saved on

compared with

New Version Current

changes.mady.by.user Anđela Arsović

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
titleSoftware Licensing Certificates Series

This certificate applies to software projects that are not externally distributed , or that have not yet declared a licence. It confirms that all thirdall third-party dependencies, including transitive ones, have been identified and externally verified for mutual licence compatibility, and for critical vulnerabilities. It is suitable for internal tools or services, unlicensed or unpublished code, and projects seeking external validation before choosing a licence. It also requires that other third-party intellectual property is reviewed and documented.

The certificate does not grant distribution rights or replace licence selection and compliance, as it does not assess the project’s own licensing. It builds upon the Self-Assessed Dependencies Certificate, providing stronger assurance of third-party legal and security risks by extending the scope to transitive dependencies and introducing verification by the Licence Management Team, after the software team has internally evaluated key points about dependencies, licences, and security, and prepared verification materials.

A full specification of software licensing certificates is also available (the document is available for GÉANT participants).

Prerequisites

Ensure your software project:

  • Has all direct and transitive dependencies identified and documented (an internal list is mandatory)

  • Has identified licences for all direct and transitive dependencies

  • Has confirmed that all dependency licences are mutually compatible for use in the software

  • Contains no known critical vulnerabilities in dependencies
  • Lists any other third-party intellectual property included in the project
    • , including
  • (source code, components, content, designs, models, and similar assets
    • (these
  • that may be recorded in
    • the
  • the NOTICE file)

  • Is registered in the GÉANT Software Catalogue

Step-by-Step Process

Identify Dependencies

Compile a complete comprehensive list of all direct and transitive third-party dependencies used in your software project. You may use structured manual review, a Software Composition Analysis (SCA) tool , or the the GÉANT SCA service.

Document licence and vulnerability information for each dependency. Having an internal list of all included third-party libraries and code is mandatory. It should list all third-party components, their versions, licences, and known vulnerabilities.

If the project contains multiple repositories, separately list dependencies for each component and its respective repository. Include all standalone modules developed for joint use, even if loosely coupled (for example, internal services).

Verify Compatibility and Compliance

Confirm that all dependencies are under suitable every dependency is under a valid open source or proprietary terms, and that their licence. Ensure that all dependency licences are mutually compatible for use in your software.

Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets. Identify, assess, and document their inclusion, as SCA tools may not detect them. These records may be included in the project’s NOTICE file with attribution or licence notices if required by their terms of use.

Address Known Issues

Address all critical vulnerabilities in dependencies, typically by upgrading to secure versions.

...

Prepare Required Documentation

Ensure that dependency information, vulnerability records, and third-party IP details (if any) are complete and up to date.

Prepare and make the following available to your team:

  • A list of all direct and transitive dependencies, including name, version, licence, and known vulnerabilities
  • Records of other third-party intellectual property included in the project, if any
  • Evidence of dependency assessment and vulnerability checks

Optional README and NOTICE files 

Consider preparing project artefacts containing dependency information (excluding vulnerability details; use available templates). Having these documents early makes the software more accessible and supports future licence declaration:

  • README – Optional, but useful to capture basic information about the software early; it is the starting point for documented and licensed software
  • NOTICE – Optional, but required if legal notices or attributions for third-party components are mandated by dependency licences

Consult with the Licence Management Team if you need clarifications or support during preparationConsider preparing supplementary README and NOTICE files based on available templates.

Submit Request

Send a request to the Licence Management Team, including:

  • Detailed dependency list with licences, SCA results, or
    • SCA tool results
  • reference to the GÉANT SCA service performed
  • Third-party
    • IP
  • intellectual property details, if any
    • Any supporting documentation with
  • Supporting documentation, such as descriptions of third-party components,
    • such as
  • READMENOTICE, or internal reports

You may also refer to results from the GÉANT SCA service, if used.

  • on dependencies, licences, and vulnerabilities

Refer to See Contact Us for instructions on communicating with the team.

...

Cooperate with the Licence Management Team to:

  • Provide requested clarifications
  • Remediate identified incompatibilities or vulnerabilities
  • Update dependency records and documentation as needed

Use Certificate

Upon approval, your project will receive the Verified Dependencies Certificate, which will be visible at at certificates.software.geant.org and in the GÉANT Software Catalogue.

You may reference the Reference the certificate in your documentation, metadata, project pagepages, or communications. The The Licence Management Team will provide guidance on how to do this.

...

To keep the certificate valid:

  • Keep dependency, licence, and vulnerability data accurate and up to date.
    • Review all
  • Monitor for new
    • or changed dependenciesAddress
  • vulnerabilities or licence conflicts, which may be newly discovered
    • vulnerabilities
  • or
    • licence incompatibilities promptly
  • introduced by dependency and licence changes.
  • Address identified issues promptly.

  • Update documentation as needed.

If issues arise, your team may be asked to provide additional information, address identified licence or vulnerability issues, or update dependency records.

Certificate Validity

The certificate is valid for five years, covering all versions released within that period, provided vulnerabilities and licence incompatibilities are promptly addressed.

Renewal

Reassess and submit a renewal request before the five-year validity period ends, or sooner if there are significant changes (e.g. , component replacement under a different licence, or inclusion of a new componentscomponent under a novel licence).

Avoiding Revocation

The certificate may be revoked if:

  • Direct or transitive dependencies are missing or undocumented
  • Incompatible
    • dependency
  • licences of dependencies are introduced or discovered
    • Critical vulnerabilities in dependencies remain unresolved
  • Non-compliance between component licences remains unresolved
    • Complaints about undeclared, licence-incompatible, or critically vulnerable dependencies are confirmed and
  • Critical vulnerabilities in dependencies remain unresolved
  • The team fails to respond to enquiries
    • or complaints
  • during investigations
    • and
  • or reviews
  • The development team requests revocation

Optional: Continuous Dependency and Licence Scanning

Integrate SCA scanning into your the CI/CD pipeline to detect licence or vulnerability issues early, and maintain long-term compliance.