A license flag is not a security defect — it’s a legal and commercial question: are you allowed to ship this, and on what terms? That’s why Parry keeps licensing in its own lane, out of your vulnerability counts. This page explains the five risk tiers it assigns, what each one obligates you to do, and when it actually threatens a proprietary or SaaS product.
Ordered most- to least-restrictive. The badge on each card is the same one you’ll see on a finding in the Licensing tab.
License terms that conflict with most commercial or SaaS distribution outright.
Impact · Can legally stop you shipping or operating the product as intended. SSPL can require open-sourcing your entire service stack the moment you offer the software over a network; BUSL bars production use for a fixed term before it converts.
Do · Treat as a blocker. Remove or replace it before you ship, or get written legal sign-off first.
Strong copyleft. Distributing software that includes this code can force you to release your own source under the same license.
Impact · Incompatible with keeping the linked work proprietary once you distribute it. AGPL is the SaaS trap — it triggers on network use, not just distribution, so running it behind your own API can pull your code into scope.
Do · Isolate it behind a process boundary, replace it, or accept open-sourcing the linked work. AGPL anywhere near a SaaS backend deserves immediate review.
Weak, file- or library-scoped copyleft. You must share changes to the library’s own files; your separate code can stay closed.
Impact · Usually fine for a proprietary product if you link to it dynamically and leave it unmodified. Static linking or patching the library itself pulls more obligations in.
Do · Keep it at arm’s length — dynamic linking, no forks baked into your tree. Publish any edits you make to the library.
Permissive. Use freely in proprietary and commercial products; the main duty is preserving copyright and license notices.
Impact · Minimal. Apache-2.0 adds an explicit patent grant and a NOTICE-file requirement; BSD-3-Clause forbids using the author’s name to endorse your product.
Do · Ship the license text and attribution with your distribution. Otherwise, use freely.
Couldn’t be matched to a known license, or the package ships none at all.
Impact · Unquantified — and “no license” defaults to all-rights-reserved, which is more restrictive than copyleft, not less.
Do · Read the actual terms (or confirm their absence) before depending on it. Never assume permissive.
The same license can be harmless or fatal depending on how you use it. These decide which.
Parry classifies every dependency license on each scan and tracks it across pushes, separate from your security findings. Run it on any public repo — no install required.
This guide is general information, not legal advice. License obligations turn on facts specific to your product and distribution — when a copyleft or forbidden license lands on a shipping dependency, confirm the details with counsel.