Getting Started with ProGet: License Detection and Blocking
We often don’t read license agreements, but we’re always held to them! ProGet makes it easy to avoid the consequences of unacceptable license agreements ending up in your organization’s applications.
In this tutorial, learn how to:
- Configure a license filter at the feed level
- Add license rule to an unknown license type
Refer to the specific instructions for using WhiteSource for license scanning and blocking, as this tutorial will use the built-in functionality in ProGet.
This tutorial starts with a NuGet.org public feed and connector already set up in ProGet. You can get step-by-step instructions for setting these up in our “Getting Started with ProGet” tutorial. This tutorial can also be viewed as a video.
When you access a package in your ProGet feed, ProGet will display whether there is a license associated with the package on the Package Overview page.
For example, ProGet recognized that this Newtonsoft.Json 12.0.3 package contains an MIT license.
But not all license types are as acceptable as an MIT license. Blocking undesirable licenses can protect your organization from legal liability. Configuring license filters in ProGet is simple.
Configure a License Filter at the Feed Level
To set up a license filter rule, navigate to the Manage Feed page.
Click on the Scanning & Blocking tab.
Select “Add License Filter Rule.”
Licenses like GPL-3.0 are often unacceptable to businesses. You can configure your feed to block attempted downloads of packages with a GPL-3.0 license.
Simply select the SPDX identifier from the dropdown, choose “Block This License,” and click “Create Rule.” This configures this rule at the feed level.
Attempting to download a package with a blocked license will be impossible, and ProGet will alert the user that the action is blocked due to license filtering rules.
ProGet has a long list of SPDX identifiers and known licenses, but it’s not an exhaustive list. You can allow or block packages with unknown licenses, and you can add a URL as a known license.
Add a Rule for an Unknown License Type
Packages without a clear SPDX Identifier or URL (either unspecified or not recognized by ProGet) is considered to have an unknown license.
When detecting an unknown license ProGet will warn you and give you the chance to create a new license type.
For example, ProGet detected an unknown license in this Castle.Core 4.4.1 package.
Click Metadata tab or click on the URL in the warning, and then read the license. Remember: ProGet is NOT your lawyer!
Reading this license, it’s clear that this is just a different way to represent the Apache-2.0 license. If that’s an acceptable license for your team, click “Assign License Type to Custom URL,” Pick “Apache-2.0” from the dropdown, and save.
Once you’ve added this license, all other packages with the same SPDX Identifier or URL will then be detected as that license type.
More with License Detection and Blocking
You can also configure allow/block rules at the global level. To do this, go to “Licenses” tab at top ProGet ribbon and select “Global.” If both a global and feed-level rule are defined for a license type, the feed-level rule will be used.
ProGet assembles its list of known licenses from SPDX. You can edit this list by going to Licenses > License Types.
Not all free/open source packages belong in your production applications. With package promotion, you can ensure that only NuGet packages that meet your internal quality standards get used in production-ready code.
Configure Retention Rules
As you download and cache more and more public packages, your disk space will quickly fill up with old and unused packages. You can configure retention rules to automatically reclaim disk space by deleting old or unused packages that meet criteria you define, such as unused or old versions.