A software license example is a concrete license text that tells you exactly what you may and may not do with a piece of code, and treating those terms as a security and compliance control — not legal boilerplate to ignore — is what separates teams that ship confidently from teams that discover a copyleft violation during due diligence. License risk does not crash your app, but it can block an acquisition, force a code disclosure, or trigger a breach-of-contract claim, which is why it belongs in the same pipeline as your vulnerability scanning.
Every dependency you pull carries a license, and modern apps carry hundreds of them transitively. You cannot reason about your obligations by reading each one by hand. You need to know the categories, recognize the common examples, and enforce a policy automatically.
The three broad categories
Open source and commercial licenses sort into three buckets, and almost every software license example you will meet fits one of them.
Permissive licenses (MIT, Apache-2.0, BSD-3-Clause) let you use, modify, and redistribute with minimal obligations — usually just preserving the copyright notice. MIT is the canonical permissive example: a few sentences granting broad rights "without restriction" as long as the notice travels with the code.
Copyleft licenses (GPL-2.0, GPL-3.0, AGPL-3.0, LGPL) grant the same rights but attach a reciprocity obligation: derivative works must be released under the same license. AGPL extends that trigger to network use, which is the one that surprises SaaS teams — running AGPL code on a server you expose over a network can obligate you to offer the source. Getting a copyleft obligation wrong is the single most expensive license mistake in practice.
Proprietary licenses restrict rights by default and grant only what the vendor spells out. A proprietary software license example typically forbids redistribution, reverse engineering, and use beyond a named seat count or environment. These are the licenses where the details of the grant matter most, because everything not explicitly permitted is denied.
What a permissive example actually says
Here is the shape of an MIT-style grant, which is worth internalizing because it is everywhere:
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
The obligation is one sentence: keep the notice. That is the whole compliance requirement for MIT. The trap is not the terms; it is forgetting to reproduce the notice when you bundle the dependency.
Reading a proprietary example
A proprietary software license example reads very differently. Instead of a broad grant, you get a narrow one:
Licensor grants Licensee a non-exclusive, non-transferable license to use the
Software solely for Licensee's internal business operations, limited to 50
named users. Licensee shall not distribute, sublicense, reverse engineer, or
create derivative works. This license terminates automatically upon breach.
Every clause here is a constraint you must track: the user cap, the internal-use limit, the anti-reverse-engineering term, and the automatic termination. If you embed a proprietary component in a product you distribute, "internal business operations" is already violated. This is why license classification cannot be a one-time checkbox — it has to follow the component through every context it is used in.
Enforcing license policy at scale
You enforce this with an SBOM (software bill of materials) and a policy engine, not with spreadsheets. Generate an SBOM, attach the resolved SPDX license identifier to every component, and gate builds against an allowlist.
# Generate a CycloneDX SBOM for a Node project
npx @cyclonedx/cyclonedx-npm --output-file sbom.json
# Inspect declared licenses
npx license-checker --summary
The SPDX identifier is the machine-readable key: MIT, Apache-2.0, GPL-3.0-only, AGPL-3.0-or-later. A policy gate can then say "fail the build on any GPL or AGPL component in a distributed artifact" and enforce it on every pull request. An SCA and compliance platform such as Safeguard can attach license data to each component in the SBOM and flag a copyleft dependency that entered transitively, which is exactly where these obligations hide. For the policy side of this — mapping licenses to controls — our compliance material covers the framework mapping.
The transitive trap
The permissive license on your direct dependency tells you nothing about the license three levels down. A permissively licensed library can depend on a GPL one, and that obligation flows up to you. License scanning has to walk the full transitive graph, resolve dual-licensed packages to the option you actually accepted, and handle the "no license declared" case — an unlicensed dependency defaults to all-rights-reserved, which is more restrictive than most people assume.
FAQ
What is the simplest software license example to understand?
MIT. Its entire obligation is preserving the copyright and permission notice when you distribute the software. It grants broad rights to use, modify, and sell with almost no strings attached.
What does a proprietary software license example restrict?
Typically redistribution, reverse engineering, derivative works, and use beyond a defined scope such as a named-user count or internal-only use. Everything not explicitly granted is denied, and breach usually triggers automatic termination.
Why is copyleft the riskiest category?
Because it can obligate you to release your own source code. GPL triggers on distribution and AGPL triggers on network use, so a SaaS product can incur a disclosure obligation just by running AGPL code on a server.
How do I track licenses across all my dependencies?
Generate an SBOM with SPDX license identifiers, run license scanning across the full transitive dependency graph, and enforce an allowlist policy gate in CI so violations fail the build automatically.