Enterprise Software Supply Chain Manager (ESSCM)
Suppliers & Licenses
Track component suppliers and manage license compliance
Suppliers & Licenses
The Suppliers & Licenses tab provides comprehensive information about your dependencies' origins and licensing, helping you maintain compliance and manage supplier relationships.
Overview
Track suppliers and licenses to:
- Ensure license compliance
- Identify supplier relationships
- Manage attribution requirements
- Assess supplier risk
- Meet legal requirements
Supplier Information
Supplier Data
For each component, view:
| Field | Description |
|---|---|
| Supplier Name | Organization or individual |
| Supplier URL | Official website or repository |
| Contact | Support or security contact |
| Verification | Identity verification status |
Supplier Types
| Type | Description |
|---|---|
| Open Source Project | Community-maintained projects |
| Commercial Vendor | Paid software suppliers |
| Internal | Components built in-house |
| Unknown | Supplier information unavailable |
License Information
License Summary
View license distribution across your project:
| Metric | Description |
|---|---|
| Total Licenses | Number of distinct licenses |
| License Types | Categories (Permissive, Copyleft, etc.) |
| Compliance Status | Overall compliance state |
| Attribution Required | Licenses requiring attribution |
License Categories
| Category | Examples | Characteristics |
|---|---|---|
| Permissive | MIT, Apache 2.0, BSD | Minimal restrictions |
| Weak Copyleft | LGPL, MPL | File-level copyleft |
| Strong Copyleft | GPL, AGPL | Full copyleft |
| Commercial | Proprietary | Paid/restricted |
| Public Domain | Unlicense, CC0 | No restrictions |
License Compliance
Compliance Status
| Status | Meaning |
|---|---|
| ✅ Compliant | All licenses compatible |
| ⚠️ Review Needed | Some licenses need review |
| ❌ Violation | License conflict detected |
| ❓ Unknown | License could not be determined |
Common Compliance Issues
| Issue | Description | Resolution |
|---|---|---|
| GPL in Proprietary | GPL component in closed-source | Replace or open-source |
| AGPL Network Use | AGPL with network distribution | Review usage or replace |
| Missing Attribution | Attribution not provided | Add required notices |
| License Conflict | Incompatible licenses | Replace conflicting component |
Viewing License Details
- Open project
- Navigate to Suppliers & Licenses tab
- View license summary
- Click individual components for details
Component License View
For each component:
- License identifier (SPDX)
- License text
- Obligations
- Attribution requirements
- Compatibility analysis
License Policies
Creating License Policies
Define acceptable licenses:
- Go to Settings → License Policies
- Click + New Policy
- Configure allowed/blocked licenses
- Set scope (organization or project)
- Save policy
Policy Rules
| Rule Type | Description |
|---|---|
| Allowlist | Only these licenses permitted |
| Blocklist | These licenses prohibited |
| Review List | These licenses require approval |
Policy Enforcement
License policies can:
- Generate warnings in UI
- Fail security gates
- Block deployments
- Send notifications
Attribution Generation
Generating Attribution
Create attribution documents:
- Click Export → Attribution Notice
- Select format (TXT, HTML, Markdown)
- Customize template
- Download attribution file
Attribution Contents
- Component name and version
- License type
- Copyright notices
- License text (if required)
- Supplier information
Automatic Updates
Enable automatic attribution updates:
- Generate with each SBOM update
- Include in build artifacts
- Publish to documentation
Supplier Analysis
Supplier Risk Assessment
Evaluate supplier risk:
| Factor | Assessment |
|---|---|
| Reputation | Known, trusted supplier |
| Longevity | Time in market |
| Support | Support availability |
| Security | Security track record |
| Compliance | Regulatory compliance |
Supplier Concentration
Identify supplier concentration risk:
- Top suppliers by component count
- Single points of failure
- Geographic distribution
- Organizational diversity
Reports
License Report
Generate license reports:
- Click Export → License Report
- Select scope and format
- Download report
Report Types
| Report | Contents |
|---|---|
| Summary | License overview and compliance |
| Detailed | Full license for each component |
| Attribution | Attribution notices |
| Compliance | Policy compliance status |
API Access
# Get license information
curl -X GET https://api.safeguard.sh/v1/projects/{id}/licenses \
-H "Authorization: Bearer $API_KEY"
# Get supplier information
curl -X GET https://api.safeguard.sh/v1/projects/{id}/suppliers \
-H "Authorization: Bearer $API_KEY"
# Generate attribution
curl -X POST https://api.safeguard.sh/v1/projects/{id}/attribution \
-H "Authorization: Bearer $API_KEY" \
-d '{"format": "markdown"}'Best Practices
License Management
- Define license policy early
- Review new dependencies for license
- Keep attribution up to date
- Train team on license types
Supplier Management
- Document supplier relationships
- Assess supplier risk regularly
- Have alternatives for critical suppliers
- Monitor supplier health
Compliance
- Automate license checking
- Include in security gates
- Review regularly with legal
- Maintain compliance documentation
Integration with TPRM
Link supplier data with Third Party Risk Manager:
- Track vendor relationships
- Manage supplier SBOMs
- Monitor supplier security
- Assess vendor risk