Getting Started with ProGet: License Detection and Blocking

We often don’t read license agreements, but we’re always held to them. And no organization has the resources to spare on legal issues stemming from license non-compliance.

ProGet’s License Detection and Blocking feature makes it easy to avoid the consequences of unacceptable license agreements ending up in your organization’s applications. ProGet automatically flags licenses present in package metadata, and you can configure ProGet to automatically block licenses like GPL-3.

In this tutorial, learn how to:

  • Configure a license filter at the feed level
  • Add license rule to an unknown license type

Refer to the specific instructions for using WhiteSource for license scanning and blocking, as this tutorial will use the built-in functionality in ProGet.

This tutorial starts with a public feed and connector already set up in ProGet. You can get step-by-step instructions for setting these up in our “Getting Started with ProGet” tutorial.

License Detection

When you access a package in your ProGet feed, ProGet will display whether there is a license associated with the package on the Package Overview page.

For example, ProGet recognized that this Newtonsoft.Json 12.0.3 package contains an MIT license.

But not all license types are as acceptable as an MIT license. Blocking undesirable licenses can protect your organization from legal liability. Configuring license filters in ProGet is simple.

Configure a License Filter at the Feed Level

To set up a license filter rule, navigate to the Manage Feed page.

Click on the Scanning & Blocking tab.

Select “Add License Filter Rule.”

Licenses like GPL-3.0 are often unacceptable to businesses. You can configure your feed to block attempted downloads of packages with a GPL-3.0 license.

Simply select the SPDX identifier from the dropdown, choose “Block This License,” and click “Create Rule.” This configures this rule at the feed level.

Attempting to download a package with a blocked license will be impossible, and ProGet will alert the user that the action is blocked due to license filtering rules.

ProGet has a long list of SPDX identifiers and known licenses, but it’s not an exhaustive list. You can allow or block packages with unknown licenses, and you can add a URL as a known license.

Add a Rule for an Unknown License Type

Packages without a clear SPDX Identifier or URL (either unspecified or not recognized by ProGet) is considered to have an unknown license.

When detecting an unknown license ProGet will warn you and give you the chance to create a new license type.

For example, ProGet detected an unknown license in this Castle.Core 4.4.1 package.

Click Metadata tab or click on the URL in the warning, and then read the license. Remember: ProGet is NOT your lawyer!

Reading this license, it’s clear that this is just a different way to represent the Apache-2.0 license. If that’s an acceptable license for your team, click “Assign License Type to Custom URL,” Pick “Apache-2.0” from the dropdown, and save.

Once you’ve added this license, all other packages with the same SPDX Identifier or URL will then be detected as that license type.

More with License Detection and Blocking

You can also configure allow/block rules at the global level. To do this, go to “Licenses” tab at top ProGet ribbon and select “Global.” If both a global and feed-level rule are defined for a license type, the feed-level rule will be used.

ProGet assembles its list of known licenses from SPDX. You can edit this list by going to Licenses > License Types.

What’s Next:

Promote Packages

Not all free/open source packages belong in your production applications. With package promotion, you can ensure that only NuGet packages that meet your internal quality standards get used in production-ready code.

Configure Retention Rules

As you download and cache more and more public packages, your disk space will quickly fill up with old and unused packages. You can configure retention rules to automatically reclaim disk space by deleting old or unused packages that meet criteria you define, such as unused or old versions.