Including License Information in SBOM

[andyates]

Select Topic Area

Product Feedback

Body

Is there a way to include package License Information in GitHub's exported SBOM? When I go to Insights -> Dependency graph and click the Export SBOM button the resulting file does not include the license information on the dependent packages even though in almost all cases the packages are hosted on GitHub and have their license set.

[joaoprbrasil]

Yes, including package license information in an exported Software Bill of Materials (SBOM) is an important aspect of software supply chain management and compliance. A Software Bill of Materials is a comprehensive list of components and dependencies used in a software project, and it often includes license information to ensure that the software's use complies with the licenses of its components.

To include package license information in an exported SBOM, you can follow these steps:

Component Identification: Identify all the third-party components, libraries, and dependencies used in your software project.

License Attribution: For each component, determine its associated license(s). This information is typically found in the component's documentation, metadata, or licensing files (e.g., LICENSE.txt).

Documenting in SBOM: When generating the SBOM, make sure to include a section or field that clearly lists the components along with their corresponding licenses. The exact format may depend on the SBOM standard you're using (e.g., SPDX, CycloneDX). These standards provide specific fields for capturing license information.

License Text: Some SBOM standards allow you to include the full text of the licenses directly in the SBOM or provide references to the licenses' locations. Including the full license text can help ensure compliance and provide clarity to downstream users.

License Compliance Tools: Consider using tools or automation scripts that can analyze your project's dependencies and generate an SBOM with accurate and up-to-date license information. There are tools that can scan your project's dependencies, detect licenses, and generate SPDX-compliant SBOMs.

Updating SBOM: Regularly update the SBOM as your software evolves and new dependencies are introduced. This helps maintain an accurate and current record of your software's components and licenses.

Distribution and Sharing: If you're distributing your software, provide the SBOM alongside the software package. This transparency helps users and downstream developers understand the software's composition and adhere to licensing requirements.

Licensing Policies: Establish internal policies regarding the types of licenses your project can use, including acceptable licenses, license compatibility, and any additional requirements. This can help you make informed decisions about which components to include in your project.

Review Legal Counsel: If you have concerns about licensing or compliance, it's advisable to consult legal counsel with expertise in software licensing.

Remember that different SBOM standards might have varying fields and structures for capturing license information, so it's important to familiarize yourself with the specific standard you're using. Additionally, staying aware of updates and changes to software licensing and compliance best practices is crucial for maintaining a healthy and compliant software supply chain.

[andyates]

I updated my question to be a little more specific. I was asking specifically about the Export SBOM feature in GitHub.

[andyates]

I updated my question to be a little more specific. I was asking specifically about the Export SBOM feature in GitHub.

[Pizza-Ria]

Adding an upvote - I would like to see the licensing info in all the pacakges when I export the SBOM too. Bonus points if you could include the copyright info!