This certificate applies to software projects that are in active development or in early preparation for licence verification. It confirms that your team has identified and assessed all direct dependencies used in the software project for known critical vulnerabilities, and for mutual licence compatibility.  It also requires that other third-party intellectual property is reviewed and documented.

The certificate does not replace the analysis of transitive dependencies or the selection of the project’s own licence, nor does it imply distribution rights. It is an initial stage of licence governance and compliance, achieved through internal verification.

A full specification of software licensing certificates is also available (for GÉANT participants).

Prerequisites

Ensure your software project:

Step-by-Step Process

Identify Dependencies

Compile a comprehensive list of all direct software dependencies used in your software project. These can typically be extracted from dependency, manifest, or build files such as package.json, MANIFEST.MF, or pom.xml.

If the project contains multiple repositories, separately list dependencies for each component and its respective repository. Components separated for practical or architectural reasons but not intended for reuse in other projects do not need to be included. However, include all standalone modules you developed and intend to use together, even when loosely coupled (for example, internal services).

Transitive dependencies may also be reviewed and documented, but this is optional.

Check Licences and Terms

Confirm that each direct dependency is under a valid open source or proprietary licence. Ensure that all dependency licences are mutually compatible for use in your software.

Check for Vulnerabilities

Review each direct dependency for known critical security vulnerabilities. You may use Software Composition Analysis (SCA) tools or the GÉANT SCA service, including existing SCA reports where still relevant. Additional sources such as CVE, NIST, or similar may also be consulted for comprehensive vulnerability information.

Review Third-Party IP

Review all other third-party intellectual property manually, including source code, components, content, designs, models, and other assets. Identify, assess, and document their inclusion, as SCA and dependency management tools may not detect them.

Prepare Required Documentation

Prepare and make it available to the members of your team:

Internal documentation should be available upon request.

Submit Registration

Send a registration request to the Licence Management Team, confirming that your project meets the certificate requirements. You are not required to include any dependency, licence, or vulnerability information. If provided, it may support future certificate assessments.

Please consult with the team if you need any clarifications.

Refer to Contact Us for instructions on communicating with the team.

Use Certificate

Upon approval, your project will receive the Self-Assessed Dependencies Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Reference the certificate in documentation, metadata, project paged, or communications. The Licence Management Team will provide guidance on how to do this.

After Certification

Maintain Compliance

To keep the certificate valid:

If issues arise, your team may be asked to provide additional information, address identified licence or vulnerability issues, or update dependency records.

Certificate Validity

The certificate is valid for five years, covering all versions released within that period, provided vulnerabilities and licence incompatibilities are addressed promptly.

Renewal

Submit a renewal request before the five-year validity period ends, or sooner if significant changes occur.

Avoiding Revocation

The certificate may be revoked if: