This certificate applies to software projects that are not externally distributed or have not yet declared a licence. It confirms that all third-party dependencies, including transitive ones, have been identified and externally verified for mutual licence compatibility and critical vulnerabilities. It is suitable for internal tools or services, unlicensed or unpublished code, and projects seeking external validation before choosing a licence.

I does not grant distribution rights or replace licence selection and compliance, as it does not assess the project's own licensing. However, it offers assurance of third-party legal risks than the Self-Assessed Dependencies certificate.

A full specification of the Verified Dependencies certificate is also available.

Prerequisites

Ensure your software project:

• Has all dependencies identified and documented.

• Has all their licences confirmed and mutually compatible for use in the software.

• Contains no known critical vulnerabilities in dependencies.
• Has listed any other third-party intellectual property.

Step-by-Step Process

Identify and Verify All Dependencies

Compile all third-party dependencies, including transitive ones, through structured manual review or by using a Software Composition Analysis (SCA) tool, including the GÉANT SCA service.

Document licence and vulnerability information for each dependency.

Assess Compatibility and Compliance

Confirm that all dependencies are under suitable open source or proprietary terms and are mutually compatible for use within your software.

Address any licence violations or improper use of third-party intellectual property.

Address Known Issues

Resolve any known licence incompatibilities and critical vulnerabilities in dependencies before proceeding with certification.

Submit Request

Send a request to the Licence Management Team, including:

• Assessment or SCA tool results
• Third-party IP details
• Supporting documentation

Also include your SCA results or refer to the GÉANT SCA service performed, and third-party IP details, if any.

Use sw-licences@software.geant.org, #sw-licences on the GÉANT Project Slack, or submit a Software Review Request in the Help Desk.

Respond to Review Feedback

Provide clarifications or perform remediation if requested by the Licence Management Team.

Use Certificate

Upon approval, your project will receive the Verified Dependencies certificate, which will be visible in the GÉANT Software Catalogue.

You may reference the certificate in your documentation, metadata, project page, or communications. The Licence Management Team will provide guidance on how to do this.

After Certification

Maintain Compliance

Keep dependency and verification data current. Address:

• New dependencies
• Newly discovered vulnerabilities or licence incompatibilities between dependencies

Certificate Validity

The certificate is valid for five years, covering all versions released within that period, provided vulnerabilities or mutual licence incompatibilities are addressed.

Renewal

Submit a renewal request to extend the certificate for an additional five-year period when needed.

Avoiding Revocation

The certificate may be revoked if:

• Incompatible dependency licences are introduced or discovered
• Non-compliance between component licences remains unresolved
• Complaints about undeclared, mutually licence-incompatible, or critically vulnerable dependencies are confirmed and unresolved
• The team fails to respond to enquiries or complaints during investigations and reviews
• The development team requests revocation

Optional: Set Up Licence Scanning

Integrate licence scanning into your development pipeline to detect issues early.