OSS License Intelligence

License information is collected from multiple sources:

• deps.dev API - Google's package intelligence (primary)
• Package manifests - package.json, setup.py, Cargo.toml
• GitHub License API - Repository license detection
• OSV Database - Vulnerability-linked package data

Raw license strings are normalized to SPDX identifiers:

• "Apache 2.0" → Apache-2.0
• "MIT License" → MIT
• "GPLv3" → GPL-3.0-only
• 90+ alias mappings in our registry

Each license is classified using our license_risk_map.json registry:

• Category - Permissive, Copyleft, Proprietary, etc.
• Risk Score - 0.0 (safe) to 1.0 (high risk)
• Policy - Allow, Review, or Deny
• OSI Approved - Open Source Initiative status

License risk is integrated into the Phoenix Security Score (v3.0):

• 12% weight in PS-SSF/OSS formula
• Combined with security vulnerabilities
• Affects package risk prioritization
• Shown on CVE and Package detail pages