Detailed Guide: Self-Assessed Dependencies Certificate

This certificate applies to software projects that are in active development or in early preparation for licence verification. It confirms that your team has identified and assessed all direct dependencies used in the software project for known critical vulnerabilities, and for mutual licence compatibility. It also requires that other third-party intellectual property is reviewed and documented.

The certificate does not replace the analysis of transitive dependencies, the selection of the project’s own licence, or imply distribution rights. It represents an initial stage of licence governance and compliance, achieved through internal verification.

A full specification of software licensing certificates is also available for GÉANT participants.

Prerequisites

Ensure your software project:

• Has all direct dependencies identified and documented

• Has identified the licence for each dependency

• Has confirmed that dependency licences are mutually compatible for use in the software

• Contains no known critical vulnerabilities in direct dependencies

• Lists any other third-party intellectual property included in the project (source code, components, content, designs, models, and similar assets)

• Is registered in the GÉANT Software Catalogue

Step-by-Step Process

Identify Dependencies

Compile a comprehensive list of all direct software dependencies used in your software project. These can typically be extracted from dependency, manifest, or build files such as package.json, MANIFEST.MF, or pom.xml. Having an internal list of directly included third-party libraries and code is mandatory.

If the project contains multiple repositories, separately list dependencies for each component and its respective repository. Components separated for practical or architectural reasons but not intended for reuse in other projects do not need to be included. However, include all standalone modules you developed and intend to use together, even when loosely coupled (for example, internal services).

Transitive dependencies may also be reviewed and documented, but this is optional and not required for certification.

Check Licences and Terms

Confirm that each direct dependency is under a valid open source or proprietary licence. Ensure that all dependency licences are mutually compatible for use in your software.

Check for Vulnerabilities

Review each direct dependency for known critical security vulnerabilities. You may use Software Composition Analysis (SCA) tools or the GÉANT SCA service, including existing SCA reports where still relevant. Additional sources such as CVE, NIST, or similar databases may also be consulted for comprehensive vulnerability information.

Review Third-Party IP

Manually review all other third-party intellectual property, including source code, components, content, designs, models, and other assets. Identify, assess, and document their inclusion, as SCA and dependency management tools may not detect them. These records may be included in the project’s NOTICE file with attribution or licence notices if required by their terms of use.

Prepare Required Documentation

Prepare and make the following available to your team:

• A list of all direct dependencies, including name, version, licence, and known vulnerabilities
• Records of other third-party intellectual property included in the project, if any
• Evidence of dependency assessment and vulnerability checks
• Optional README and NOTICE files containing dependency and licence information (recommended, but excluding vulnerability details; use available templates)

Consult with the Licence Management Team if you need clarifications or support during preparation.

Internal documentation should be available upon request.

Submit Registration

Send a registration request to the Licence Management Team, confirming that your project meets the certificate requirements. You are not required to include any dependency, licence, or vulnerability information. If provided, it may support future certificate assessments.

Refer to Contact Us for instructions on communicating with the team.

Use Certificate

Upon approval, your project will receive the Self-Assessed Dependencies Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.

Reference the certificate in documentation, metadata, project pages, or communications. The Licence Management Team will provide guidance on how to do this.

After Certification

Maintain Compliance

To keep the certificate valid:

• Keep dependency, licence, and vulnerability data accurate and up to date.
• Monitor for new vulnerabilities or licence conflicts, which may be newly discovered or introduced by dependency and licence changes.

• Address identified issues promptly.

• Update documentation as needed.

If issues arise, your team may be asked to provide additional information, address identified licence or vulnerability issues, or update dependency records.

Certificate Validity

The certificate is valid for five years, covering all versions released within that period, provided vulnerabilities and licence incompatibilities are promptly addressed.

Renewal

Reassess and submit a renewal request before the five-year validity period ends, or sooner if there are significant changes.

Avoiding Revocation

The certificate may be revoked if:

• Direct dependencies are missing or undocumented
• Incompatible licences of direct dependencies are introduced or discovered
• Non-compliance between component licences remains unresolved
• Critical vulnerabilities in direct dependencies remain unresolved
• The team fails to respond to enquiries during investigations or reviews
• The development team requests revocation