UPDATE ......From Tuesday 8 April 2025 we have changed the way that Single Sign-on works on this wiki. Please see here for more information:
Update
This certificate applies to software projects that are not externally distributed or have not yet declared a licence. It confirms that all third-party dependencies, including transitive ones, have been identified and externally verified for mutual licence compatibility and critical vulnerabilities. It is suitable for internal tools or services, unlicensed or unpublished code, and projects seeking external validation before choosing a licence.
I does not grant distribution rights or replace licence selection and compliance, as it does not assess the project's own licensing. However, it offers assurance of third-party legal risks than the Self-Assessed Dependencies certificate.
A full specification of the Verified Dependencies certificate is also available.
Prerequisites
Ensure your software project:
- Has all dependencies identified and documented.
Has all their licences confirmed and mutually compatible for use in the software.
- Contains no known critical vulnerabilities in dependencies.
- Has listed any other third-party intellectual property.
Step-by-Step Process
Identify and Verify All Dependencies
Compile all third-party dependencies, including transitive ones, through structured manual review or by using a Software Composition Analysis (SCA) tool, including the GÉANT SCA service.
Document licence and vulnerability information for each dependency.
Assess Compatibility and Compliance
Confirm that all dependencies are under suitable open source or proprietary terms and are mutually compatible for use within your software.
Address any licence violations or improper use of third-party intellectual property.
Address Known Issues
Resolve any known licence incompatibilities and critical vulnerabilities in dependencies before proceeding with certification.
Submit Request
Send a request to the Licence Management Team, including:
- Assessment or SCA tool results
- Third-party IP details
- Supporting documentation
Also include your SCA results or refer to the GÉANT SCA service performed, and third-party IP details, if any.
Use sw-licences@software.geant.org, #sw-licences on the GÉANT Project Slack, or submit a Software Review Request in the Help Desk.
Respond to Review Feedback
Provide clarifications or perform remediation if requested by the Licence Management Team.
Use Certificate
Upon approval, your project will receive the Verified Dependencies certificate, which will be visible in the GÉANT Software Catalogue.
You may reference the certificate in your documentation, metadata, project page, or communications. The Licence Management Team will provide guidance on how to do this.
After Certification
Maintain Compliance
Keep dependency and verification data current. Address:
- New dependencies
- Newly discovered vulnerabilities or licence incompatibilities between dependencies
Certificate Validity
The certificate is valid for five years, covering all versions released within that period, provided vulnerabilities or mutual licence incompatibilities are addressed.
Renewal
Submit a renewal request to extend the certificate for an additional five-year period when needed.
Avoiding Revocation
The certificate may be revoked if:
- Incompatible dependency licences are introduced or discovered
- Non-compliance between component licences remains unresolved
- Complaints about undeclared, mutually licence-incompatible, or critically vulnerable dependencies are confirmed and unresolved
- The team fails to respond to enquiries or complaints during investigations and reviews
- The development team requests revocation
Optional: Set Up Licence Scanning
Integrate licence scanning into your development pipeline to detect issues early.