License Risk

Checks the licenses in use in the customer's dependency tree. Identifies licenses that may pose a risk to commercial use.


Open source software generally ships with an associated license. If present, this license may be highly permissive to commercial use or may mandate the release of internal source code as a result of using the open source software package.

For example, we classify the Apache 2.0 license as a low risk:

This license is permissive, with few or no restrictions. You may typically use and 
modify the existing source code provided that the original copyright information 
is left intact.

In contrast, we classify the GNU General Public License (GNU GPL) as a high risk license:

This license is highly restrictive and may pose a significant risk to commercial
projects, including the possibility that you may be forced to release your 
software under the same license and royalty-free.


By leveraging existing open source software packages, you may be inadvertently agreeing to conditions that may prove difficult to adhere to in a commercial setting.

Risk Domains

Engineering, License

Impact on the Phylum Package Score

Licenses are broken down into three risk groups: low, medium, and high. The impact of the license risk will lower the package score commensurate to the impact it has on commercial viability.

Examples from the Past

On December 11, 2008, the Free Software Foundation (FSF) initiated a lawsuit against Cisco Systems claiming that their software was being distributed in violation of the GNU General Public License. This lawsuit resulted in a settlement between the two organizations and an undisclosed financial contribution to the FSF by Cisco Systems.

Did this page help you?