Software Licensing Certificates Series
- Software Licensing Certificates
Self-Assessed Dependencies [Quick Guide & Checklist] [Detailed Guide]
Verified Dependencies [Quick Guide & Checklist] [Detailed Guide]
Verified Software Licence [Quick Guide & Checklist] [Detailed Guide]
Software Licence Assurance [Quick Guide & Checklist] [Detailed Guide]
- Using Issued Certificates
This certificate confirms that a software project has all direct and transitive dependencies identified, verified for licence compatibility and critical vulnerabilities, documented, and reviewed by the Licence Management Team, without addressing the software’s own licence or compliance artefacts.
It requires your team to internally assess all dependencies and third-party intellectual property, prepare verification material, and provide it to the Licence Management Team for review.
The certificate builds on the Self-Assessed Dependencies Certificate by adding thorough verification, inclusion of transitive dependencies, and submission of evidence.
You may use this document as a checklist template for your project's certification process.
Initial Steps
Requirements
Aligned with Self-Assessed Dependencies Certificate
- Document all direct and transitive external libraries and code (an internal list is mandatory, and it may be made public).
- Document licences of these libraries and code (in the same list).
- Confirm that all direct and transitive dependencies are under valid open source or proprietary licences.
- Ensure that all these licences are mutually compatible.
- Review each direct and transitive dependency for known critical vulnerabilities (you can use the GÉANT-provided SCA and review services), and capture vulnerability details in a SCA report or internal document.
- Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets (may be recorded in the
NOTICEfile). Record information on direct dependencies and third-party IP (name, version, licence) in a
README,NOTICE, or only in an internal document.- Register the project in the GÉANT Software Catalogue.
Additional Requirements
- Extend first four points from Self-Assessed Dependencies Certificate requirements with transitive dependencies.
Certification Process
- Address all dependency vulnerabilities and licence incompatibilities
- Send a request to the Licence Management Team, including:
- SCA report or a reference to the GÉANT SCA service performed
- Third-party IP details, if any
- Any supporting documentation, such as internal reports describing third-party components, their versions, licences, and vulnerabilities
- Provide clarifications and perform remediation if requested by the Licence Management Team.
- Update dependency records and documentation as needed.
- Reference the certificate in your documentation, metadata, project page, or communications.
See Contact Us for information on how to communicate with the Licence Management Team.
Artefacts
- Up-to-date list of all dependencies with licences and security status, including transitive ones, based on SCA tool results
Consider drafting public artefacts based on available templates. These files are reviewed and amended as part of the SLA Service.
README– Optional, but useful to capture basic information about the software early; it is the starting point for documented and licensed softwareNOTICE– Optional, but required if legal notices or attributions for third-party components are mandated by dependency licences
Governance
Upon approval, your project will receive the Verified Dependencies Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.
Keep dependency, licence, and vulnerability data up to date. Review new or changed dependencies and monitor for newly discovered vulnerabilities or licence conflicts.
You may integrate continuous dependency and licence scanning (e.g. through CI/CD pipelines) to detect issues early and maintain long-term compliance.
The certificate is valid for five years, covering all released versions within that period, provided issues are promptly addressed.
Reassess and submit a renewal request before the five-year validity ends, or sooner if there are significant changes (e.g. component replacement under a different licence, or inclusion of new components).
Additional Information
Further details are available in the Detailed Guide: Verified Dependencies Certificate.