There are thousands of open source (and not technically “open source”) software licenses in existence. However, you don’t have to keep track of them all. Most commonly used licenses are part of the SPDX Standard License List. These licenses are:
- Widely used or referenced in open source communities
- Clear, documented license text
- Publicly available with no confidentiality constraints
- Approved and cataloged by the SPDX legal team
Each license is assigned a unique, machine-readable identifier (e.g., MIT, GPL-2.0-only, Apache-2.0), which is recognized by SCA tools, SBOM generators, package managers, and legal automation systems. Using SPDX standard license identifiers improves automation in SCA, SBOMs, CI/CD checks, and legal tools, and reduces ambiguity (e.g., “MIT” vs. “Expat” vs. “MIT License (X11)”)You can always browse the canonical list at SPDX License List.
SPDX License Reference Chart
- Permissive Licenses allow modification, distribution, and use with minimal requirements (e.g., attribution). These are ideal for commercial or proprietary use cases.
- Weak Copyleft Licenses require sharing changes under the same license, but often only for modified files or libraries, not the entire application.
- Strong Copyleft Licenses require any derivative or combined works to be licensed under the same terms. They’re not suitable for proprietary or embedded products without exception strategies.
- Other/Uncommon Licenses are SPDX-recognized but require specific legal review, especially for legacy code or niche ecosystems.
See the reference chart below. It organizes key open source licenses by type, their SPDX identifiers, and engineering-relevant notes to help you quickly assess compatibility, obligations, and use-case suitability.
| License Type | SPDX Identifier | License Name | Engineering Notes |
|---|---|---|---|
| Permissive | MIT | MIT License | Highly permissive, widely accepted |
| Permissive | Apache-2.0 | Apache License 2.0 | Permissive with patent grant; business-friendly |
| Permissive | BSD-3-Clause | BSD 3-Clause License | Adds non-endorsement clause; MIT alternative |
| Permissive | ISC | ISC License | Minimalist, MIT-like; often in networking tools |
| Weak Copyleft | LGPL-2.1-only | GNU Lesser GPL v2.1 | Allows linking with proprietary code; watch for modifications |
| Weak Copyleft | LGPL-3.0-only | GNU Lesser GPL v3.0 | Adds stronger copyleft and anti-Tivoization |
| Weak Copyleft | MPL-2.0 | Mozilla Public License 2.0 | Copyleft at file level; flexible for enterprise |
| Weak Copyleft | CDDL-1.0 | Common Development and Distribution License | Similar to MPL, used in Sun/Oracle projects |
| Weak Copyleft | EPL-2.0 | Eclipse Public License 2.0 | Java ecosystem-friendly; controlled sharing |
| Strong Copyleft | GPL-2.0-only | GNU General Public License v2.0 | Strong copyleft; not compatible with Apache 2.0 |
| Strong Copyleft | GPL-3.0-only | GNU General Public License v3.0 | Stronger copyleft with patent protections |
| Strong Copyleft | AGPL-3.0-only | GNU Affero General Public License v3.0 | Triggers source release over network use (SaaS caution) |
| Public Domain | Unlicense | The Unlicense | Public domain equivalent; check regional enforceability |
| Public Domain | CC0-1.0 | Creative Commons Zero v1.0 | No copyright claims; useful for data/code artifacts |
| Other | Artistic-1.0 | Artistic License v1.0 | Used in Perl; vague clauses, requires legal review |
