You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

This certificate builds upon the Verified Software Licence Certificate, and confirms that a project integrates mature, sustainable, and traceable licensing and dependency management into its software development and delivery lifecycle. It applies to actively maintained, publicly or purposefully distributed software under consistent governance.

The certificate may cover a single project or a group of products under unified ownership and management. It remains valid indefinitely, provided certified practices are maintained and biennial audits are passed.

Initial Steps

Requirements

Closely Related to Verified Software Licence Certificate

  • Meet all Verified Software Licence requirements for each software developed or maintained by the project
  • Regularly maintain artefacts required by the Verified Software Licence Certificate

Additional Requirements

  • A Licence Compliance Officer is designated, responsible for licensing decisions and queries

  • Governance policies are established and enforced, covering inbound/outbound licences, dependency management, contributions, conflict resolution, compliance tools, and audits

  • Automated compliance tools are integrated into the CI/CD pipeline, with alerts for licence, version, and security issues

  • Compliance rules, scanning configurations, and alert thresholds are maintained and up to date

  • Team onboarding and training are implemented, with up-to-date materials available

  • Development practices related to use of compliance tools, monitoring, and dependency management are documented

  • Contribution guidelines or policies are established and followed

  • Adequate general or per-software licensing policies are in place

  • Compliance records are maintained for dependency approvals, licensing decisions, contributions, and known vulnerabilities

  • Compliance reviews and audits are performed regularly, documented, and tracked with findings and corrective actions

Certification Process

  • Ensure Verified Software Licence compliance for each software included in the project

  • Send a request to the Licence Management Team, including:

    • Contact details of the Licence Compliance Officer

    • Results of the SLA or equivalent review

    • Access to the code repository for exemplary software, with all relevant artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.)
    • List of all dependencies with licences and security status for exemplary software
    • Results of automated checks, with examples of CI/CD compliance tool rules

    • Governance and compliance policies, including dependency and licence management guidelines

    • Evidence of governance and training activities, such as onboarding materials and contribution guidelines

    • Exemplary records of dependency management and compliance decisions

    • Exemplary records associated with one or several contributions
    • Exemplary records of known vulnerabilities and their remediation

    • Records of compliance reviews and audits

    • Clarifications or supporting notes, if needed

  • Respond to Licence Management Team's feedback by:
    • Providing requested clarifications
    • Demonstrating compliance tool effectiveness
    • Addressing documentation or process gaps

  • Reference the certificate in your documentation, metadata, project page, or communications

See Contact Us for information on how to communicate with the Licence Management Team.

Artefacts

Create and maintain artefacts and documents that manage, support, and track licence, dependency, and security governance:

  • Core licensing artefacts (README, LICENSE, COPYRIGHT, NOTICE, CHANGELOG, etc.) for all included software
  • Up-to-date onboarding and training materials for new and existing team members on licensing, security, and IPR management
  • Dependency and licence management guidelines
  • Dependency and licence approvals, including exception or waiver records where applicable
  • Contribution guidelines
  • Code testing or review records, including records tracking external contributions where applicable
  • CI/CD compliance tool rules and configuration files
  • SCA tool, licence, and security scan results and reports
  • Records of regular dependency management and compliance decisions
  • Records tracking known vulnerabilities and their remediation
  • Records of monitoring alerts and responses
  • Minutes or sign-off records from compliance reviews and audits
  • Software Bill of Materials (SBOM) for each software (recommended)

Governance

Upon approval, your project and associated software will receive the Software Licence Assurance Certificate, which will be visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Maintain ongoing licensing compliance and artefacts for each software included in the project.

The Licence Management Team validates issuance, and may occasionally review the certificate status.

A biennial audit is required, either as an internal audit by the development team or as an external audit arranged with the Licence Management Team.

An internal review is required following governance or leadership changes, major changes to compliance processes, or after serious compliance concerns raised by users.

The certificate is valid indefinitely, unless revoked.

Additional Information

Further details are available in the Detailed Guide: Software Licence Assurance Certificate.

  • No labels