Understanding Licensing Issues

What each licensing issue type means, what triggers it, and what action is required.

3 min readUpdated Jul 9, 2026

Enterprise feature

Available on: Business, Enterprise.

Overview

When FOSSA scans a project, it compares every detected license and dependency against your licensing policy and checks for missing license data. Anything that requires attention surfaces as a licensing issue in the Issues tab.

Issue types

There are five licensing issue types. The first two are policy-driven: they fire based on rules you configure. The last three are data-quality issues: they fire when FOSSA can't determine a clean license picture.

Issue typeWhat triggers it
DeniedA Deny rule in your policy matched a license or dependency in this project.
FlaggedA Flag for Review rule matched; the license needs manual evaluation before it can be approved or denied.
UnlicensedFOSSA found no license information for the dependency. It can't determine whether the license is acceptable.
UnconcludedFOSSA detected multiple licenses on a dependency and none has been concluded. The effective license is ambiguous.
Concluded (Multi)A dependency had multiple detected licenses and a user manually concluded which one applies. This is informational. The conclusion is recorded and the ambiguity is resolved.
Global Licensing issues tab showing 163 active issues grouped by package, with issue counts per row and filter panel for package manager, project labels, depth, and issue status

What each type requires

Denied issues block compliance. The dependency must be removed, replaced, or have its rule updated in the policy before the project can pass.

Flagged issues require a human decision. A reviewer must approve or deny the flagged license before the issue is resolved.

Unlicensed and Unconcluded issues require license data to be provided. Options include editing the dependency to add a concluded license, or updating the dependency to a version that declares one. See License Corrections.

Concluded (Multi) issues are resolved, no action required. They appear in the issue list as a record of the conclusion.

Where issues come from

Beyond its type, two properties describe where a licensing issue originates:

  • Issue source: most issues come from a dependency (a component resolved from a package manager). They can also come from a snippet, a license match FOSSA found directly in your first-party source code via Snippet Scanning. With Vendored Dependency Detection enabled, dependency-sourced issues are split further into Managed (package-manager) and Vendored (copied into your source tree).
  • License identification: a Declared license is one the package author stated in the manifest; a Discovered license is one FOSSA found by scanning the source. A dependency can have both, and the issue records which signal it came from.

Issue status

An issue is Active (needs attention) or Ignored (suppressed so it doesn't block CI checks). A third lifecycle state, Remediated, applies once an issue that was present in a previous revision is gone in the current one.

An issue can be ignored in three ways:

  • Manually: a reviewer dismisses it, ideally with a documented reason.
  • By an ignore rule: an auto-ignore rule suppresses it across versions or projects (see Reviewing Licensing Issues).
  • By policy: the Intelligent Auto-Ignore setting auto-ignores non-concluded issues.

Ignoring suppresses an issue; it doesn't fix the underlying problem. Use it sparingly.

What's next

© 2026 FOSSA, Inc.support@fossa.com