How licenses are classified
Each license is sorted into an obligation-based category by keyword matching on the recorded license name:| Category | What it means |
|---|---|
| Permissive | MIT/BSD/Apache-style — attribution/notice retention; minimal obligations. |
| Weak copyleft | LGPL/MPL-style — file- or library-level reciprocity. |
| Strong copyleft | GPL-style — source-disclosure obligations on derived works. |
| Network copyleft | AGPL/Affero-style — obligations triggered by network use. |
| Unknown | License couldn’t be determined, didn’t match a known pattern, or enrichment was temporarily unavailable. |
- Low — permissive licenses; typically just attribution.
- Review — weak-copyleft obligations (LGPL/MPL-style) to review before release.
- Restrictive — the strongest obligations: strong and network copyleft (GPL/AGPL-style).
- Unverified — license is unknown and should be clarified.
This classification is informational, not legal advice. It is derived from the
license name to help you find and review obligations, so compound or non-standard
strings may classify imprecisely; confirm those against the package’s actual
terms. ZeroPath does not block a build or fail a scan on license grounds.
Working with licenses
On the Supply Chain page, the licenses view summarizes your exposure by category, with at-a-glance tiles for permissive packages, copyleft packages to review, and unverified packages to confirm. It lists each license with the packages and repositories it appears in.- Filter by risk to focus on the obligations that matter to your policy.
- Search any license identifier, for example
GPL-3.0-onlyorSSPL, to highlight the affected packages and the applications that use them. - Scope by repository, and optionally include or exclude ephemeral CLI scans.