What are the levels of License Risk?

  • 12 January 2023
  • 1 reply

To grade the potential compliance risks involved with different licenses, we assess them using a grading system. Keep in mind that the color grading simply represents the estimated amount and complexity of the compliance concerns. This does not mean that some licenses are riskier than others - if you understand all the compliance requirements of a license and are able to fulfill them, then the license is practically risk-free regardless of our grading.

The risk levels are created under the assumption that the installed dependency is not affected by external factors, including, but not limited to, interactions with other dependencies and effects of compilation. We advise you to adjust the risk levels based on your own internal policies, risk tolerance and use case.



Banned license, high compliance risk, not allowed | Unknown license

This grading is used for a license that is not allowed use in, e.g. in company or project context, or for a use-case reason (such as with GPLv3 in consumer electronics) because it will likely cause a breach of the license terms, hence exposing you for possible legal challenges.
The same applies for an Unknown license - without knowing the conditions for the use of the code, you expose yourself for possible legal challenges.


Restricted license with substantial compliance risks. Such licenses should only be allowed after getting some legal guidance and on a case-by-case basis, as the compliance considerations are generally difficult to fully comply with.


Approved license, with sizable compliance considerations. In such licenses the source code must be made publicly available and there are restrictions in combining with other code under a different license, as with the licenses in the Copyleft license family.


Approved license, with few compliance considerations. In such licenses the copyright and permission notice must be maintained in distributions of code, as with most licenses of the Permissive license family. 


Non-OSS / Commercial / Proprietary license


To read more about license families, license risks, use cases, and compliance - check out our blog. 


1 reply

Userlevel 3
Badge +1

If there are new SPDX-licenses that have “unknown”, even if I have sent the use-case, will you add those to your database?