License Concluded

The License Concluded feature determines a single, dominant license for a dependency. This calculation is based on an analysis of the dependency's Declared License (manifest data) and Discovered Licenses (source code scans).

This field mirrors the PackageLicenseConcluded field in the SPDX specification and is used to prioritize license compliance workflows.

Enable License Concluded

License Concluded is disabled by default. It must be enabled at the Organization level before it appears in projects.

Navigate to Settings > Organization > General.
Scroll to the License Concluded section.
Toggle the setting to On.

Note: Concluded License data is generated during dependency analysis. After enabling this feature, you must run a new CLI scan or trigger a Quick Import refresh for the data to populate.

Multi-License Support

FOSSA supports concluding multiple licenses for a single dependency when necessary. This occurs automatically in two primary scenarios:

Automatic "Explicit AND": When FOSSA's internal data aligns with external verification (such as web search data) to confirm a package is governed by multiple licenses simultaneously, the licenses are joined with an AND operator (e.g., MIT AND Apache-2.0).
Automatic "Permissive AND": If a package normally concludes to a permissive license (e.g., MIT) but a non-permissive license (e.g., GPL-3.0) is also detected within the package, FOSSA will AND them together to ensure the stricter obligations are not overlooked.

To view the data sources used to determine the license:

Click the dependency name to open the details view.
Select the Licenses tab.
The Concluded License section displays the current conclusion.

License Policy Settings

You can configure how policies interact with Concluded Licenses. These settings are disabled by default and must be configured per policy.

Navigate to Policies > [Policy Name].
Click the Settings tab.
Configure the following toggles:

Only create issues for Concluded Licenses Restricts issue generation. When enabled, FOSSA will only create issues based on the package's Concluded License. Issues derived from Declared or Discovered licenses will not be created.
Intelligent Auto-Ignore When enabled, licensing issues are generated for all license types, but issues stemming from non-concluded licenses (Declared or Discovered) are automatically marked as "Ignored." This preserves the data record while removing noise from the active issue list.
Create issues when a license can't be concluded Ensures visibility for indeterminate licenses. If FOSSA cannot automatically determine a dominant license, a unique "Unconcluded" issue is created, prompting manual review.
Create issues when a dependency auto-concludes to multiple licenses A new issue type for "Multi-Conclusions" can be enabled. When configured, an issue will appear whenever FOSSA's base conclusion results in multiple licenses (e.g., MIT AND GPL-3.0).

Reports and SBOMs

The Concluded License can be included in attribution reports and SBOM exports.

Attribution Reports

To include this field in a report:

Navigate to Reports.
Under Dependency Metadata (right sidebar), check Concluded License.

SBOM Exports

FOSSA maps the Concluded License to the following fields in SBOM standards:

SPDX: Mapped to PackageLicenseConcluded.
CycloneDX: Mapped to the acknowledgement field.

To include this field in a report:

Navigate to Reports.
Under Dependency Metadata (right sidebar), check Concluded License.

Manual Editing

Users can override the automated Concluded License with a manual selection.

The following manual overrides are available:

Click on 'Unconclude' to unconclude a given license
Click on 'Conclude' to conclude to a new license(s)
Click on 'Add a License' to manually add a new license to the dependency which can be concluded to
Click on 'Add a License Group' to add a new group of licenses

Manual edits take precedence over FOSSA's automated logic for the specific dependency.