MIT, Apache-2.0, and BSD licenses all carry attribution requirements: you must preserve copyright notices and license texts when distributing the software. Without a license inventory, you cannot verify that you are meeting these obligations, and during any commercial transaction — acquisition, enterprise sales with contractual IP representations, or legal due diligence — the absence of a license inventory is a red flag that slows or blocks the deal. SSDF PW.4 treats third-party component tracking as a requirement, not a nice-to-have. A license inventory is also the prerequisite for any copyleft or conflict check to be meaningful: you cannot evaluate what you have not enumerated.
Low because missing attribution documentation is a compliance gap rather than an active vulnerability, but it becomes a blocking issue during legal due diligence or enterprise sales.
Generate and commit a license inventory file. Add a generation script to package.json so it stays current on every build:
npx license-checker --production --out LICENSES.txt --customPath '{name},{licenses},{repository}'
Or automate it in CI:
// package.json
"scripts": {
"licenses": "license-checker --production --out LICENSES.txt"
}
Commit the generated LICENSES.txt and add a CI step that fails if the file is out of date.
ID: dependency-supply-chain.license.license-inventory
Severity: low
What to look for: Check for a NOTICE, LICENSES, third-party-licenses.txt, or similar attribution file in the project root or a legal/ directory. Alternatively, check package.json for a license script (e.g., "licenses": "npx license-checker --production"). Documentation of dependency licenses is a best practice for commercial projects. Count all instances found and enumerate each.
Pass criteria: A license inventory file exists, or a package.json script exists to generate one on demand, or the project has fewer than 5 production dependencies (too small to require formal tracking).
Fail criteria: No license inventory file or generation script exists, and the project has 5 or more production dependencies.
Skip (N/A) when: No package.json detected.
Detail on fail: "No license inventory file found. For commercial projects with multiple dependencies, maintaining an attribution document reduces legal risk and is required by some licenses."
Remediation: Some open-source licenses (MIT, Apache-2.0) require that attribution notices be included when distributing software. A license inventory file collects all required notices.
Generate and commit one:
npx license-checker --production --out LICENSES.txt --customPath '{name},{licenses},{repository}'
Or automate it in CI to keep it current on every build.