License field and LICENSE file present

ab-002363 · sdk-package-quality.package-config.license-field

Severity: mediumactive

Why it matters

Without a LICENSE field and LICENSE file, your package defaults to exclusive copyright — consumers who install it are technically violating copyright law even for internal use. Enterprise legal teams routinely reject dependencies with no license declaration. SPDX license expressions enable automated license scanning in CI pipelines (SSDF PO.1.2). A package without a clear SPDX identifier won't pass compliance checks at many organizations, meaning your package gets blocked regardless of its technical quality.

Severity rationale

Medium because missing license data triggers automated blocking by enterprise compliance scanners and exposes users to legal risk, though the package still functions technically.

Remediation

Add an SPDX license field to package.json and create a LICENSE file in the project root.

{ "license": "MIT" }

Create LICENSE at the repo root with the full license text. For MIT:

MIT License

Copyright (c) 2026 Your Name

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction...

Use https://choosealicense.com to select the right license. Ensure the license field in package.json matches the LICENSE file exactly — mismatches create legal ambiguity.

Detection

ID: license-field
Severity: medium
What to look for: List all package.json files and LICENSE files. For each, check for:
1. license field in package.json with a valid SPDX identifier (e.g., MIT, Apache-2.0, ISC, BSD-3-Clause)
2. A LICENSE or LICENSE.md file in the project root
3. That the two are consistent (both say MIT, or both say Apache-2.0) For Python: check pyproject.toml [project] license field. For Rust: check Cargo.toml license field.
Pass criteria: Valid SPDX license field in package metadata AND a LICENSE/LICENSE.md file exists in the project root — 100% of packages must have both a license field in package.json and a LICENSE file. Report: "X packages found, all Y have license field and LICENSE file."
Fail criteria: Missing license field, OR invalid/non-SPDX license identifier, OR no LICENSE file in the project root.
Skip (N/A) when: Never — every published package should have a license. Without one, the default copyright law applies and no one can legally use your code.
Detail on fail: "license field in package.json is 'UNLICENSED' and no LICENSE file exists. Without an explicit license, other developers cannot legally use this package."
Remediation: Choose a license appropriate for your project. For most open-source packages, MIT is the simplest choice:
```
// package.json:
{ "license": "MIT" }
```
Then create a LICENSE file in the project root:
```
MIT License

Copyright (c) 2026 Your Name

Permission is hereby granted, free of charge, to any person obtaining a copy
...
```
Use https://choosealicense.com if you need help deciding.

External references

spdx · license-expression — SPDX license expression in package metadata
ssdf:800-218 · PO.1.2 — Establish and maintain criteria for software security checks, including licensing

Taxons

code-quality

History

2026-04-18·v1.0.0·Initial import from sdk-package-quality·automated