You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This certificate applies to software projects that are in active development or in early preparation for licence verification. It confirms that your team has identified and assessed all direct dependencies used in the software project for known critical vulnerabilities, and for mutual licence compatibility.  It also requires that other third-party intellectual property is reviewed and documented.

The certificate does not replace the analysis of transitive dependencies or the selection of the project’s own licence, nor does it imply distribution rights. It is an initial stage of licence governance and compliance, achieved through internal verification.

A full specification of software licensing certificates is also available (for GÉANT participants).

Prerequisites

Ensure your software project:

  • Has all direct dependencies identified and documented

  • Has identified the licence for each dependency

  • Has confirmed that dependency licences are valid, and mutually compatible for use in the software

  • Has checked for and addressed known critical vulnerabilities in direct dependencies

  • Lists any other third-party intellectual property included in the project (source code, components, content, designs, models, and similar assets)

  • Is registered in the GÉANT Software Catalogue

Step-by-Step Process

Identify Dependencies

Compile a comprehensive list of all direct software dependencies used in your software project. These can typically be extracted from dependency, manifest, or build files such as package.json, MANIFEST.MF, or pom.xml.

If the project contains multiple repositories, separately list dependencies for each component and its respective repository. Components separated for practical or architectural reasons but not intended for reuse in other projects do not need to be included. However, include all standalone modules you developed and intend to use together, even when loosely coupled (for example, internal services).

Transitive dependencies may also be reviewed and documented, but this is optional.

Check Licences and Terms

Confirm that each direct dependency is under a valid open source or proprietary licence. Ensure that all dependency licences are mutually compatible for use in your software.

Check for Vulnerabilities

Review each direct dependency for known critical security vulnerabilities. You may use Software Composition Analysis (SCA) tools or the GÉANT SCA service, including existing SCA reports where still relevant. Additional sources such as CVE, NIST, or similar may also be consulted for comprehensive vulnerability information.

Review Third-Party IP

Review all other third-party intellectual property manually, including source code, components, content, designs, models, and other assets. Identify, assess, and document their inclusion, as SCA and dependency management tools may not detect them.

Prepare Required Documentation

Prepare and make it available to the members of your team:

  • A list of all direct dependencies, including name, version, licence, and known vulnerabilities
  • Records of other third-party intellectual property included in the project, if any
  • Evidence of dependency assessment and vulnerability checks
  • Optional README and NOTICE files containing dependency and licence information (recommended, but excluding vulnerability details)

Internal documentation should be available upon request.

Submit Registration

Send a registration request to the Licence Management Team, confirming that your project meets the certificate requirements. You are not required to include any dependency, licence, or vulnerability information. If provided, it may support future certificate assessments.

Please consult with the team if you need any clarifications.

Refer to Contact Us for instructions on communicating with the team.

Use Certificate

Upon approval, your project will receive the Self-Assessed Dependencies Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Reference the certificate in documentation, metadata, project paged, or communications. The Licence Management Team will provide guidance on how to do this.

After Certification

Maintain Compliance

To keep the certificate valid:

  • Keep dependency, licence, and vulnerability information up to date.
  • Review new or changed direct dependencies.
  • Monitor for newly discovered vulnerabilities or licence conflicts, which may be newly discovered or introduced by licence changes.

  • Address any identified issues promptly.

  • Update documentation as needed.

If issues arise, your team may be asked to provide additional information, address identified licence or vulnerability issues, or update dependency records.

Certificate Validity

The certificate is valid for five years, covering all versions released within that period, provided vulnerabilities and licence incompatibilities are addressed promptly.

Renewal

Submit a renewal request before the five-year validity period ends, or sooner if significant changes occur.

Avoiding Revocation

The certificate may be revoked if:

  • Dependencies are missing or undocumented
  • Mutually incompatible licences of direct dependencies are introduced or discovered
  • Critical vulnerabilities in direct dependencies remain unresolved
  • Complaints about undeclared or incompatible dependencies are confirmed and unresolved
  • The team fails to respond to enquiries or investigations
  • The development team requests revocation
  • No labels