License Compliance Management

Overview

License compliance is crucial for organizations using open-source software. Failure to comply with license terms can result in legal consequences, financial penalties, and reputational damage. SBOM Observer helps you automatically track licenses across all components and enforce compliance policies.

The Challenge with License Management

Modern applications typically contain:

• GPL and copyleft licenses - Requiring you to disclose source code
• Permissive licenses (MIT, Apache 2.0) - More flexible but still require attribution
• Proprietary licenses - Specific terms and conditions to follow
• Unknown licenses - Components with unclear or undocumented licensing

Without proper tracking, you risk:

• Using incompatible license combinations
• Violating open-source terms
• Exposing proprietary code inadvertently
• Facing audit failures and legal disputes

Getting Started with SBOM Observer

1. Collect SBOMs with License Information

Generate SBOMs that include license data:

# Generate a CycloneDX SBOM (license metadata is captured automatically)
observer fs -o sbom.json .

See /getting-started/observer-cli for full setup instructions. SBOMs from vendors already contain license information—upload them to establish your complete inventory.

2. Review Your License Inventory

SBOM Observer shows you:

• All licenses in your software stack
• License categories (copyleft, permissive, proprietary)
• Problematic combinations that conflict or create obligations
• Missing license information for components

3. Define License Policies

Create policies based on your organization's distribution model and risk tolerance:

Policy Example: License Compatibility
ALLOWED:
  - MIT
  - Apache 2.0
  - BSD
  - ISC

RESTRICTED:
  - GPL (review required)
  - AGPL (not allowed)
  - SSPL (evaluation only)

PROHIBITED:
  - Unknown licenses
  - Custom proprietary licenses

4. Enforce Compliance

In SBOM Observer:

• Policies automatically flag license violations
• Your dashboard shows all components with license issues
• Receive alerts when new components violate policies

In Your CI/CD Pipeline:

• Break builds when policy violations are detected
• Prevent merging code with unlicensed dependencies
• Enforce reviews for restricted licenses

# Break build on license policy violations
observer fs -o sbom.json .
observer upload sbom.json
observer analyze sbom.json --fail

5. Monitor License Violations & Attribution Needs

SBOM Observer centralizes license metadata and highlights policy violations, helping you:

• Track all open-source components and their declared licenses
• Maintain audit trails of license reviews and approvals
• Export SBOMs or component lists for attribution documents when needed

Note: SBOM Observer does not yet auto-generate license attribution documents. Use the exports described in /how-to/share-sboms to assemble attribution packages that meet your organization's requirements.

Common License Policies

For SaaS Applications

• ✅ MIT, Apache 2.0, BSD, ISC permitted
• ⚠️ GPL requires careful review (you don't have to distribute)
• ❌ AGPL prohibited (requires exposing your code)

For Distributed Software

• ✅ MIT, Apache 2.0, BSD permitted
• ⚠️ GPL acceptable if distributed under GPL
• ❌ AGPL and SSPL typically prohibited

For Libraries

• ✅ MIT, Apache 2.0, BSD, ISC permitted
• ⚠️ GPL requires licensing your library under GPL
• ❌ AGPL typically prohibited

Best Practices

✅ Do:

• Review licenses for all new dependencies
• Update policies annually as licensing landscape evolves
• Train your team on license categories and requirements
• Maintain clear records of license reviews
• Request SBOMs from all software vendors
• Use policy violations as learning opportunities

❌ Don't:

• Ignore license policy violations
• Add dependencies without license review
• Skip tracking open-source components
• Assume "free software" means "license-free"
• Let compliance issues accumulate

Integration Examples

Preventing GPL from entering your codebase

• Create a "No Copyleft in SaaS" policy in SBOM Observer (see /how-to/write-policies)
• Run observer analyze sbom.json --fail in CI/CD to block merges when the policy triggers

Documenting your open-source usage

• Use SBOM Observer's license dashboard to filter by team or release
• Export the filtered SBOM via /how-to/share-sboms and include it in your compliance package

Next Steps

1. Upload your first SBOM
2. Write your license policies
3. Integrate with CI/CD
4. Generate compliance reports

Additional Resources

• Wikipedia: Comparison of free and open-source software licenses
• SPDX License List
• Open Source Initiative