Software Licensing Certificates Series
- Software Licensing Certificates
Self-Assessed Dependencies [Quick Guide & Checklist] [Detailed Guide]
Verified Dependencies [Quick Guide & Checklist] [Detailed Guide]
Verified Software Licence [Quick Guide & Checklist] [Detailed Guide]
Software Licence Assurance [Quick Guide & Checklist] [Detailed Guide]
- Using Issued Certificates
This certificate applies to software projects that are not externally distributed or have not yet declared a licence. It confirms that all third-party dependencies, including transitive ones, have been identified and externally verified for mutual licence compatibility, and for critical vulnerabilities. It is suitable for internal tools or services, unlicensed or unpublished code, and projects seeking external validation before choosing a licence. It also requires that other third-party intellectual property is reviewed and documented.
The certificate does not grant distribution rights or replace licence selection and compliance, as it does not assess the project’s own licensing. It builds upon the Self-Assessed Dependencies Certificate, providing stronger assurance of third-party legal and security risks by extending the scope to transitive dependencies and introducing verification by the Licence Management Team, after the software team has internally evaluated key points about dependencies, licences, and security, and prepared verification materials.
A full specification of software licensing certificates is also available for GÉANT participants.
Prerequisites
Ensure your software project:
- Has all direct and transitive dependencies identified and documented (an internal list is mandatory)
Has identified licences for all direct and transitive dependencies
Has confirmed that all dependency licences are mutually compatible for use in the software
- Contains no known critical vulnerabilities in dependencies
- Lists any other third-party intellectual property included in the project (source code, components, content, designs, models, and similar assets that may be recorded in the
NOTICEfile) Is registered in the GÉANT Software Catalogue
Step-by-Step Process
Identify Dependencies
Compile a comprehensive list of all direct and transitive third-party dependencies used in your software project. You may use a Software Composition Analysis (SCA) tool or the GÉANT SCA service.
Document licence and vulnerability information for each dependency. Having an internal list of all included third-party libraries and code is mandatory. It should list all third-party components, their versions, licences, and known vulnerabilities.
If the project contains multiple repositories, separately list dependencies for each component and its respective repository. Include all standalone modules developed for joint use, even if loosely coupled (for example, internal services).
Verify Compatibility and Compliance
Confirm that every dependency is under a valid open source or proprietary licence. Ensure that all dependency licences are mutually compatible for use in your software.
Manually review all other third-party intellectual property, including source code, components, content, designs, models, and similar assets. Identify, assess, and document their inclusion, as SCA tools may not detect them. These records may be included in the project’s NOTICE file with attribution or licence notices if required by their terms of use.
Address Known Issues
Address all critical vulnerabilities in dependencies, typically by upgrading to secure versions.
Resolve any known licence incompatibilities and instances of improper use of third-party intellectual property.
Prepare Required Documentation
Prepare and make the following available to your team:
- A list of all direct and transitive dependencies, including name, version, licence, and known vulnerabilities
- Records of other third-party intellectual property included in the project, if any
- Evidence of dependency assessment and vulnerability checks
Optional README and NOTICE files
Consider preparing project artefacts containing dependency information (excluding vulnerability details; use available templates). Having these documents early makes the software more accessible and supports future licence declaration:
README– Optional, but useful to capture basic information about the software early; it is the starting point for documented and licensed softwareNOTICE– Optional, but required if legal notices or attributions for third-party components are mandated by dependency licences
Consult with the Licence Management Team if you need clarifications or support during preparation.
Submit Request
Send a request to the Licence Management Team, including:
- Detailed dependency list with licences, SCA results, or reference to the GÉANT SCA service performed
- Third-party intellectual property details, if any
- Supporting documentation, such as descriptions of third-party components,
README,NOTICE, or internal reports on dependencies, licences, and vulnerabilities
Refer to Contact Us for instructions on communicating with the team.
Respond to Review Feedback
Cooperate with the Licence Management Team to:
- Provide requested clarifications
- Remediate identified incompatibilities or vulnerabilities
- Update dependency records and documentation as needed
Use Certificate
Upon approval, your project will receive the Verified Dependencies Certificate, visible at certificates.software.geant.org and in the GÉANT Software Catalogue.
Reference the certificate in documentation, metadata, project pages, or communications. The Licence Management Team will provide guidance on how to do this.
After Certification
Maintain Compliance
To keep the certificate valid:
- Keep dependency, licence, and vulnerability data accurate and up to date.
- Monitor for new vulnerabilities or licence conflicts, which may be newly discovered or introduced by dependency and licence changes.
- Address identified issues promptly.
Update documentation as needed.
If issues arise, your team may be asked to provide additional information, address identified licence or vulnerability issues, or update dependency records.
Certificate Validity
The certificate is valid for five years, covering all versions released within that period, provided vulnerabilities and licence incompatibilities are promptly addressed.
Renewal
Reassess and submit a renewal request before the five-year validity period ends, or sooner if there are significant changes (e.g. component replacement or inclusion of a new component under a novel licence).
Avoiding Revocation
The certificate may be revoked if:
- Direct or transitive dependencies are missing or undocumented
- Incompatible licences of dependencies are introduced or discovered
- Non-compliance between component licences remains unresolved
- Critical vulnerabilities in dependencies remain unresolved
- The team fails to respond to enquiries during investigations or reviews
- The development team requests revocation
Optional: Continuous Dependency and Licence Scanning
Integrate SCA scanning into the CI/CD pipeline to detect licence or vulnerability issues early, and maintain long-term compliance.