How to Generate a Report with All Used Licenses in Your Environment Using JFrog Xray

JFrog Security User Guide

This use case describes how to configure Xray to scan an environment and generate a detailed license report, helping teams ensure compliance, manage risks, and support legal audits..

Step 1: Define a License Policy in Xray

πŸ“Œ Goal: Ensure all artifacts and dependencies comply with legal and internal policies.

  1. Navigate to JFrog Platform β†’ Xray.
  2. Go to Security & Compliance β†’ Policies.
  3. Click "Create Policy", selecting "License" as the policy type.
  4. Configure the policy:
    • Name: License Compliance Policy
    • Description: Identifies all software licenses used in the environment.
    • Allowed Licenses: Select approved licenses (e.g., MIT, Apache-2.0, BSD).
    • Restricted Licenses: Select licenses that violate company policy (e.g., GPL-3.0, AGPL-3.0).
    • Actions:
      • βœ… Generate Report (Creates a full license report).
      • βœ… Fail Build (Blocks CI/CD if non-compliant licenses are detected).
      • βœ… Notify Compliance Team (Email/Slack alerts for restricted licenses).
  5. Click Save.

Step 3: Generate a License Report

πŸ“Œ Goal: Run a scan and create a report listing all licenses used in the environment.

  1. Navigate to Xray β†’ Reports.
  2. Click "Generate Report" β†’ "License Report".
  3. Select Scope:
    • βœ… Repositories: Choose all relevant repositories.
    • βœ… Builds: Include all software builds.
    • βœ… Packages: Scan all dependency types.
  4. Define Filters:
    • βœ… Include all licenses (Allowed, Restricted, Unknown).
    • βœ… Export as CSV or JSON for external analysis.
  5. Click "Generate" to create the report.

Step 4: Review and Analyze the Report

πŸ“Œ Goal: Examine license usage and identify any compliance risks.

Example Report Output (CSV/JSON)

Package NameVersionLicenseCompliance StatusRisk Level
log4j2.14.1Apache-2.0βœ… CompliantLow
express4.17.1MITβœ… CompliantLow
openssl1.0.1OpenSSL License⚠️ RestrictedMedium
my-library1.2.3GPL-3.0❌ Non-CompliantHigh

βœ… Compliance Actions Based on Report Findings:

  • If Only Allowed Licenses Are Found: Approve software for deployment.
  • If Restricted Licenses Exist: Evaluate and obtain legal approval.
  • If Non-Compliant Licenses Exist: Block deployment and seek alternatives.

Step 5: Automate Report Generation in CI/CD

πŸ“Œ Goal: Ensure license reports are automatically generated in the build pipeline.

Jenkins Pipeline Example (Xray API Call for License Report Generation)

shCopyEditcurl -u user:password -X POST "https://artifactory.example.com/xray/api/v1/reports" \
  -H "Content-Type: application/json" \
  -d '{
        "name": "License Compliance Report",
        "resources": {
          "type": "repository",
          "names": ["maven-central", "npm-registry"]
        },
        "filters": {
          "licenses": ["ALL"]
        },
        "output": {
          "format": "csv",
          "destination": "artifactory://reports"
        }
      }'

βœ… Expected Outcome:

  • A license compliance report is generated for all scanned artifacts.
  • The report is stored in Artifactory for review.
  • If non-compliant licenses are found, the build fails, and the compliance team is notified.