Creating a license report for your NuGet feed
When managing your dependencies using MyGet, it may be important to have a view on which licenses are used on your feeds and in your software projects. Which licenses are your NuGet packages using? Many teams would love to know which (open source) licenses are being used by their teams, so they can be inspected and managed. It feels good to finally tackle one of those items that have been on our backlog for almost two years: we now support this exact scenario!
Note: this feature is only available for paid subscriptions.
From your feed, a new Licenses tab should now be visible showing a report of all licenses used by packages on your feed.
The licenses overview gives you a chart that provides a quick view on licenses in use. The list underneath shows all different licenses used per package identifier. If a package changed license over time, it will be listed twice. To quickly filter the detailed list, simply click one of the colors in the chart: this will show just the packages that have the selected license applied.
Where does license information come from?
Whenever a package is uploaded to your feed, whether from an upstream package source or by using nuget push, MyGet will perform a license analysis on the package. The license is determined as follows:
- If we’ve seen the package’s license URL before, we will assign the same license to the package that is being added.
- If your feed contains a package with the same identifier, we’ll take that package’s license.
- If we haven’t, we’ll download the license URL result and run a full-text analysis on it. We’ve been working on a unique scoring algorithm which compares the text with known OSI licenses out there.
- If the score is too low, we assign the license “Unknown” to the package.
Can I change licenses for a package?
Absolutely! Whenever you have a package where the license analysis was incorrect, or you have a proprietary package which has a unique license name, it is possible to assign it to a package. From the package details page, you can inspect the package license as well as override it.
Editing the license will open a dialog in which you can edit the license. We’ll provide autocompletion on known OSI licenses, but if you have a proprietary license name that can be entered here as well. Once a license has been overriden, new versions of the package will be assigned the overriden license.
We’re eager to hear your feedback on this feature!