Software Licensing Certificates Series
- Software Licensing Certificates
Self-Assessed Dependencies [Quick Guide & Checklist] [Detailed Guide]
Verified Dependencies [Quick Guide & Checklist] [Detailed Guide]
Verified Software Licence [Quick Guide & Checklist] [Detailed Guide]
Software Licence Assurance [Quick Guide & Checklist] [Detailed Guide]
- Software Licensing Certificates Comparison Table
| Aspect | Self-Assessed Dependencies | Verified Dependencies | Verified Software Licence | Software Licence Assurance |
|---|---|---|---|---|
| Purpose | Entry-level self-assessment of direct dependencies | External verification of all dependencies, without requiring a licence | Confirms appropriate licence choice and full compliance | Mature, ongoing governance of licences and dependencies |
| Suitable For / Scope | Early-stage projects, internal tools, initial governance | Projects nearing release without a licence; internal tools | Software ready for public release, distributed or externally available | Actively governed OSS projects committed to compliance |
| Validation | Developer self-assessment; no external validation | Verified by Licence Management Team using SCA or equivalent | Reviewed by Licence Management Team via SLA service or structured process | Licence Management Team review following internal audit; ongoing monitoring |
| Effort Level | Low – basic analysis documenting direct dependencies | Medium – full external dependency verification | High – detailed analysis and artefact creation | Very high – continuous governance and validation |
| Licence Declaration | Not required | Not required | Required | Required, with full compliance framework |
| Dependencies Coverage | Direct only; transitive optional | All, including transitive; mutually compatible licences | All verified, compliant and compatible with chosen licence | All validated through CI/CD integration |
| Requirements | Listed in Software Catalogue; identify direct dependencies; mutually compatible licences; no critical vulnerabilities or licence violations | As left, extended to all dependencies | As left, plus GÉANT-approved licence; correct artefacts; licence in documentation, Software Catalogue, repository metadata, and website | As left, plus designated compliance officer; CI/CD-integrated SCA tools; licence monitoring; contributor onboarding; tool maintenance; audits; documented processes |
| Artefacts | Internal list of direct dependencies and licences; optional NOTICE or README | SCA report listing licences and vulnerabilities | As left, plus LICENSE, COPYRIGHT, README, NOTICE, CHANGELOG, CONTRIBUTING | As left, plus compliance records; suggested SBOM |
| Certification Process | Submit notification | Submit dependency report | Submit after SLA review and artefact finalisation | Provide repository access, documents, and audit evidence |
| Governance & Maintenance | Maintained by developers; occasional checks possible | Maintained by developers; reviewed by Licence Management Team; occasional checks | Maintained by developers; reviewed at certification; occasional checks | Continuous maintenance; designated compliance officer; biennial audits; occasional checks |
| Validity Period | 5 years (renewable) | 5 years (renewable) | Indefinite (unless revoked) | Indefinite (with biennial audits) |
| Revocation Triggers | Missing dependencies; licence conflicts; critical vulnerabilities; unresolved complaints; non-responsiveness | As left, for all dependencies | As left, plus unapproved licence changes; incorrect artefacts; non-compliance; distribution violations | As left, plus outdated tools/processes/documents; ignored errors; failed audits; not maintained practices; misrepresentation of compliance |
| Limitations | Self-assessment only; not validated; no distribution permission; no licence selection | No distribution permission; no licence selection | Not a legal audit; excludes patents, export controls, and data protection | Not a legal or security audit; unsuitable for prototypes; requires sustained adherence and collaboration |