Description:
A component or project may not have a license at all, one that is incompatible with the intended use by a downstream consumer, or one whose requirements are not or cannot be met by a downstream user.
A component may also violate license terms independent from downstream use, e.g., if it is licensed as GPL but includes files licensed under the original (4-clause) BSD license.
A component may also conflict with legal and regulatory requirements, e.g., related to FedRAMP certification or export control.
It is important to use components in compliance with their license terms. The absence of a license or non-compliant use can result in copyright or license infringements, which the copyright holder can take legal action against.
The violation of legal and regulatory requirements can constrain or hamper addressing certain verticals or markets.
Examples:
Actions:
Identify acceptable licenses for the intended use of the component in the software under development.
This should consider, for example, how the component is linked, the software’s deployment model (cloud, on-premise/device) and the intended distribution scheme.
References: