Dependency License Flags Checker

Project label:

Name the repository, service, release, or SBOM being checked.

Organization policy profile:

Pick the review posture that matches how this dependency set will ship or be used.

Input/source format:

Use Auto for mixed evidence, or pin the parser when a CI artifact should have one expected shape.

SPDX normalization:

Change this when source quality or SPDX expression handling should affect findings.

Dependency reach:

Keep All dependencies for formal release review; narrow the gate only when the source has extra inventory rows.

Unknown/unlisted handling:

Most release gates should review or block missing evidence instead of letting it pass silently.

Allowed licenses:

Keep this list tight to the policy you can approve automatically.

Review licenses:

Use this for weak copyleft, deprecated IDs, or licenses requiring approval evidence.

Denied licenses:

Include UNKNOWN here only when missing license data should block instead of enter review.

Dependency license source:

CSV headers such as dependency, version, license, scope, direct, owner, and path are recognized.

Review dependency license input

{{ error }}

{{ header }}	Copy
{{ cell }}
No rows are available Paste a dependency report or load the sample source before exporting this table.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

License flags usually appear late in a release because dependency evidence is scattered across manifests, scanner exports, software bills of materials, and old inventory spreadsheets. A useful review does more than find a license name. It asks whether the dependency evidence is complete enough, whether each license matches the organization policy, and whether the planned use changes the amount of scrutiny needed before shipping.

A dependency can be technically safe and still stop a release. Missing license evidence, a nonstandard license label, a strong-copyleft identifier, a commercial restriction, or a dual-license expression can all require a reviewer to slow down. The same dependency can also mean different things in different contexts. An internal service, a redistributed product, and an early inventory cleanup often use different approval pressure even when the raw license string is identical.

Most automated license reviews work from short identifiers rather than full legal text. SPDX identifiers such as MIT, Apache-2.0, and GPL-3.0-only give scanners and software bills of materials a common vocabulary. SPDX expressions then combine identifiers with operators such as AND, OR, and WITH. Those operators matter: MIT OR GPL-3.0-only offers a choice, while MIT AND GPL-3.0-only means both terms apply.

Dependency license evidence and common review concerns
Evidence item	What reviewers learn	Common failure
Dependency name and version	Which component is being approved for this release snapshot.	A stale export hides the version actually shipped.
Scope and directness	Whether the row affects runtime, build, test, optional, direct, or transitive use.	A dev-only row is treated like shipped code, or a runtime row is ignored.
License identifier or expression	Which policy class applies before legal or owner review.	Aliases, missing values, or custom text prevent a clean match.
Owner, path, or source clue	Who can fix the row and where the evidence came from.	A reviewer cannot trace the finding back to the artifact.

License policy lists are triage tools, not substitutes for legal review. A typical policy separates identifiers that are allowed without extra action, identifiers that require review, and identifiers that should be denied unless an exception exists. Unknown and unlisted values deserve their own treatment because they are evidence gaps rather than known approvals.

Dependency inventory moving through policy lists, expression checks, and release gate outcomes — A useful review keeps inventory evidence, policy lists, expression handling, and gate outcome tied together.

The practical goal is a defensible queue: rows that can pass, rows that need a reviewer, rows that should block, and rows whose evidence is too weak to trust. That queue helps engineering fix dependency choices and helps compliance preserve the reasoning behind a release decision.

How to Use This Tool:

Run one dependency evidence snapshot against one policy posture at a time. That keeps the summary, finding queue, chart, and JSON report aligned with the same release decision.

Enter a Project label that would make sense in a release ticket, audit note, container image record, or SBOM handoff.
Choose the Organization policy profile. Standard release gate fits ordinary release checks. Redistributed product raises pressure around distribution duties. Internal service focuses the review on production service use. Inventory discovery records blockers as follow-up instead of stopping a release.
Select the Input/source format. Leave it on Auto-detect CSV or JSON for pasted mixed evidence, or pin CSV, npm license-checker JSON, CycloneDX JSON, or SPDX JSON when a CI artifact should have one known shape.
Set SPDX normalization. Tolerant aliases cleans common scanner labels. SPDX strict expressions avoids alias expansion and sends unlisted WITH exceptions to review. Evidence-first conservative treats custom or non-SPDX-looking text as missing evidence.
Choose Dependency reach and Unknown/unlisted handling. For formal release review, start with all parsed dependencies and review or block unknown values. Narrow to release-surface or direct runtime rows only when the source includes extra inventory you deliberately want outside the gate.
Update Allowed licenses, Review licenses, and Denied licenses. Use comma-separated or line-separated SPDX identifiers and keep the allowed list limited to licenses your process truly approves without extra context.
Paste, drop, or browse the Dependency license source. If the status line shows zero rows, malformed JSON, or a headerless CSV warning you did not expect, fix the evidence before treating Policy Gate Snapshot as release-ready.

Read Policy Gate Snapshot first. Move to License Finding Queue for the work list, Dependency License Ledger for row-by-row evidence, Policy Scope Ledger when dependency reach excluded rows, and Review Recommendations for policy follow-up notes.

Interpreting Results:

The most important result is the active gate value. Block means at least one included row blocks under the selected profile and unknown policy. Review means no blocking row was found, but at least one included dependency still needs owner, license, distribution, or evidence review. Pass means the included rows matched the current policy lists without creating a block or review action.

A pass is not a legal clearance. It means the parsed dependency rows, active reach setting, normalization mode, and license lists did not raise a finding. Missing dependencies, incomplete SBOMs, overly generous allowed lists, scanner aliases, and stale release artifacts can still leave obligations outside the result.

License risk score compares policy pressure across runs made with the same settings. It is a triage score, not a legal-risk measurement.
Allowed choice means an OR expression has at least one allowed branch. Record the branch you rely on before approval.
Unknown and Unlisted rows point to evidence or classification gaps. Check the source artifact, registry metadata, repository license file, or SBOM evidence before sign-off.
Policy Scope Ledger should be checked whenever dependency reach is narrowed. Excluded dev, optional, transitive, or non-runtime rows may return to scope if the shipped artifact changes.
Included License Mix is useful for spotting concentration, such as a release dominated by review or unknown rows, but the finding queue remains the action list.

Technical Details:

Dependency license triage has two separate jobs. The first is evidence parsing: dependency rows must be reduced to a consistent set of names, versions, scopes, directness values, paths, owners, and license expressions. The second is policy classification: each expression is compared against allowed, review, denied, unknown, and unlisted outcomes.

SPDX expressions provide the main grammar for license meaning, but scanner exports are often imperfect. Common aliases may need normalization, NOASSERTION needs to be treated as missing evidence, and custom identifiers may not be reliable enough for automatic approval. The checker handles common identifier, AND, OR, WITH, comma, semicolon, and slash-separated patterns for triage. It does not replace a full legal analysis of license text, notice duties, source-offer requirements, or complex expression precedence.

Rule Core:

Each included row receives a policy outcome from the normalized license evidence. Denied and review matches take priority over allowed matches inside the same required group, while an allowed branch in an OR expression becomes an allowed choice that still needs documentation.

License expression evaluation rules
Pattern	Rule	Review meaning
Single identifier	Compare the normalized identifier with denied, review, and allowed lists.	The first matching policy class determines whether the row blocks, needs review, or passes.
`AND` group	Evaluate every required term and keep the highest-pressure outcome.	One denied, review, unknown, or unlisted term can keep the dependency out of the clear path.
`OR` alternatives	Evaluate branches as choices. If any branch is allowed, mark the row as Allowed choice.	The release record should state which acceptable branch is used.
`WITH` exception	Check the full expression first, then the base identifier when the full expression is not listed.	Strict SPDX mode sends unlisted exception text to review unless the full expression is explicitly classified.
Blank, unknown, or `NOASSERTION`	Treat the row as missing evidence.	Review or block the row according to Unknown/unlisted handling.

Score Construction:

The risk score is a pressure average across included dependencies. It starts from the row outcome, then adjusts for blocking unknowns, direct runtime importance, dev-like transitive rows, allowed choices in distribution contexts, and the selected policy profile.

Risk = round (\min (100, \frac{\sum_{i = 1}^{n} w_{i}}{n}))

Here n is the number of dependencies included by the active reach setting, and w_i is the adjusted pressure weight for one included row. Excluded rows appear in the scope ledger but do not contribute to the average.

Base policy outcomes and risk pressure weights
Outcome	Typical trigger	Gate effect	Base weight
Denied	License expression or base identifier matches the denied list.	Blocks release, redistribution, and service profiles; inventory discovery records follow-up.	100
Review	Identifier matches the review list.	Requires policy, owner, distribution, or legal review.	65
Unknown	License evidence is blank, missing, or not asserted.	Reviews or blocks according to unknown handling.	55
Unlisted	A specific identifier is present but not in any policy list.	Reviews, blocks, or passes according to unknown handling.	45
Allowed choice	An `OR` branch is allowed while another branch exists.	Needs selected-branch documentation before approval.	12
Allowed	Every checked term matches the allowed list.	Passes and stays in the attribution ledger.	0

Parsing and Scope Rules:

CSV rows, simple lists, npm license-checker style JSON, CycloneDX component lists, SPDX package lists, dependency arrays, dependency objects, and package-lock-like objects are reduced to the same review shape. Headered CSV can provide dependency, version, license, scope, directness, owner, and path columns. Headerless CSV is accepted in that order, but the warning should be read before relying on the output.

Dependency reach settings and inclusion rules
Reach setting	Included rows	Excluded rows
All parsed dependencies	Every parsed dependency row participates in the gate.	None, unless the source cannot be parsed.
Runtime, peer, direct, and build rows	Runtime, peer, build, and direct rows.	Dev, optional, or transitive-only inventory rows.
Direct runtime rows only	Rows that are both runtime-like and direct.	Transitive, dev, test, optional, build-only, or unknown-directness rows.

The finding queue sorts action rows by priority, gate effect, risk weight, and dependency name. Direct runtime blockers rise to the top, ordinary blockers follow, runtime review and unknown rows come next, and allowed-choice documentation is lower priority unless the redistribution profile raises it.

Privacy and Accuracy Notes:

Dependency names, versions, paths, owners, policy lists, and pasted license evidence are parsed in the browser page. The checker does not perform registry lookups, remote license validation, or server-side legal analysis for the dependency source. Normal page and script loading still involves browser network requests, and downloaded CSV, DOCX, chart, or JSON artifacts can contain sensitive release evidence.

A clean result depends on the completeness of the pasted report or SBOM.
Policy lists should be reviewed by the organization that owns the release decision.
Complex or unusual license text should be checked against the actual license and project context before approval.
The output is a triage aid and release-record helper, not legal advice.

Advanced Tips:

Pin Input/source format in continuous integration when the artifact is supposed to be CycloneDX JSON, SPDX JSON, or license-checker JSON; a format error is better than silently reading the wrong evidence shape.
Use SPDX strict expressions when WITH exceptions must be explicitly approved, and use Evidence-first conservative when custom license text should enter the unknown evidence queue.
Keep Unknown/unlisted handling on review or block for release gates. Review missing evidence only is better reserved for cleanup passes where unlisted identifiers are intentionally outside the active gate.
Check Policy Scope Ledger whenever Dependency reach excludes dev, optional, transitive, build, or unknown-directness rows; excluded rows can matter again if the shipped artifact changes.
Use Included License Mix to spot concentration, then use License Finding Queue as the action list because it preserves priority, gate effect, dependency name, reason, and next action.

Worked Examples:

A standard release snapshot includes vue under MIT, legacy-parser under GPL-3.0-only, and internal-grid with NOASSERTION. The Policy Gate Snapshot reports a blocking gate because the denied GPL row is included. License Finding Queue puts the block ahead of the unknown evidence row so the release owner can replace the dependency or approve an exception before resolving lower-pressure items.

A redistributed product contains dual-logger with MIT OR GPL-3.0-only. If MIT is allowed and GPL-3.0-only is denied, the row becomes Allowed choice rather than an immediate denial. The release record should still state that the product relies on the MIT branch and should preserve the required notices for the distributed artifact.

A team narrows Dependency reach to Direct runtime rows only for a production service check. A transitive build package with MPL-2.0 moves out of the active gate, but Policy Scope Ledger still lists why it was excluded. If the build output later embeds that package or the row becomes direct runtime evidence, rerun the check with a broader reach setting.

A pasted file selected as SPDX JSON returns a validation error because no package list is recognized. Switch Input/source format back to Auto or choose the matching format, then confirm that the source status line reports parsed dependency rows before using the gate value.

FAQ:

Does a pass mean every license obligation is cleared?

No. A pass means the parsed rows matched the allowed policy path under the current settings. It does not verify full license text, attribution files, notice placement, source-offer duties, or the completeness of the dependency evidence.

Why did a dual-license dependency still need action?

An OR expression can pass by one allowed branch, but the result is shown as Allowed choice so the release record can name the branch being used.

What should I do with unknown or unlisted licenses?

Use the source artifact, registry metadata, repository license file, or SBOM evidence to resolve unknown values. For unlisted identifiers, classify the SPDX ID into allowed, review, or denied policy before treating the row as approved.

Why are some dependencies excluded from the gate?

Dependency reach can narrow the active gate to release-surface rows or direct runtime rows. Check Policy Scope Ledger before sign-off so excluded dev, optional, transitive, build, or unknown-directness rows are intentional.

Why did my pasted report produce no useful rows?

The source may be empty, malformed JSON, a pinned format may not match the artifact, or headerless CSV may not be in dependency, version, license, scope, direct, owner, path order. Use the source status line and validation alert to correct the input.

Glossary:

SPDX identifier: A standardized short license ID such as MIT, Apache-2.0, or GPL-3.0-only.
SPDX expression: A machine-readable license statement that combines identifiers with operators such as AND, OR, and WITH.
Software bill of materials: A structured inventory of components and related metadata used for supply-chain, security, and license review.
Unknown: A row where license evidence is missing, blank, or not asserted.
Unlisted: A row where a specific identifier is present but has not been classified in the current policy lists.
Allowed choice: An OR expression with at least one allowed branch that still needs a selected-license note.

References:

SPDX License List, SPDX.
Annex D: SPDX License Expressions, SPDX Specification 2.2.2.
CycloneDX Specification Overview, OWASP Foundation.
package.json, npm Docs.