Documentation
OPEN FOSSA APP
Start typing to search…

License Concluded

License Concluded

The License Concluded feature determines a single, dominant license for a dependency. This calculation is based on an analysis of the dependency's Declared License (manifest data) and Discovered Licenses (source code scans).

This field mirrors the PackageLicenseConcluded field in the SPDX specification and is used to prioritize license compliance workflows.

Enable License Concluded

License Concluded is disabled by default. It must be enabled at the Organization level before it appears in projects.

  1. Navigate to Settings > Organization > General.
  2. Scroll to the License Concluded section.
  3. Toggle the setting to On.

Note: Concluded License data is generated during dependency analysis. After enabling this feature, you must run a new CLI scan or trigger a Quick Import refresh for the data to populate.

View Concluded Licenses

Once a scan is complete, the Concluded License is visible in the dependency inventory.

  1. Navigate to Projects > [Project Name] > Dependencies.
  2. A concluded license will be displayed within each package row where available

To view the data sources used to determine the license:

  1. Click the dependency name to open the details view.
  2. Select the Licenses tab.
  3. The Concluded License section displays the current conclusion.

License Policy Settings

You can configure how policies interact with Concluded Licenses. These settings are disabled by default and must be configured per policy.

  1. Navigate to Policies > [Policy Name].
  2. Click the Settings tab.
  3. Configure the following toggles:

  • Only create issues for Concluded Licenses Restricts issue generation. When enabled, FOSSA will only create issues based on the package's Concluded License. Issues derived from Declared or Discovered licenses will not be created.

  • Intelligent Auto-Ignore When enabled, licensing issues are generated for all license types, but issues stemming from non-concluded licenses (Declared or Discovered) are automatically marked as "Ignored."

  • Create issues when a license can't be concluded Ensures visibility for indeterminate licenses. If FOSSA cannot automatically determine a concluded license, an "Unconcluded" issue is created.

Reports and SBOMs

The Concluded License can be included in attribution reports and SBOM exports.

Attribution Reports

To include this field in a report:

  1. Navigate to Reports.
  2. Under Dependency Metadata (right sidebar), check Concluded License.

SBOM Exports

FOSSA maps the Concluded License to the following fields in SBOM standards:

  • SPDX: Mapped to PackageLicenseConcluded.
  • CycloneDX: Mapped to the acknowledgement field.

To include this field in a report:

  1. Navigate to Reports.
  2. Under Dependency Metadata (right sidebar), check Concluded License.

Manual Editing

Users can override the automated Concluded License with a manual selection.

The following manual overrides are available:

  • Click on 'Unconclude' to unconclude a given license
  • Click on 'Conclude' to conclude to a new license(s)
  • Click on 'Add a License' to manually add a new license to the dependency which can be concluded to
  • Click on 'Add a License Group' to add a new group of licenses

Manual edits take precedence over FOSSA's automated logic for the specific dependency.

Updated about 5 hours ago