# SBOM & License Compliance

The SBOM (Software Bill of Materials) feature provides a complete inventory of all dependencies across your repositories, with vulnerability tracking and license compliance analysis.

The SBOM page has three tabs: **Packages**, **License Compliance**, and **Compare**.

## Packages Tab

The packages tab lists all dependencies discovered during scans.

### Filtering

Use the filter bar to narrow results:

- **Repository** — Select a specific repository or view all
- **Package Manager** — npm, cargo, pip, go, maven, nuget, composer, gem
- **Search** — Filter by package name
- **Vulnerabilities** — Show all packages, only those with vulnerabilities, or only clean packages
- **License** — Filter by specific license (MIT, Apache-2.0, BSD-3-Clause, GPL-3.0, etc.)

### Package Details

Each package row shows:

| Column | Description |
|--------|-------------|
| Package | Package name |
| Version | Installed version |
| Manager | Package manager (npm, cargo, pip, etc.) |
| License | License identifier with color-coded badge |
| Vulnerabilities | Count of known vulnerabilities (click to expand) |

### Vulnerability Details

Click the vulnerability count to expand inline details showing:

- Vulnerability ID (e.g. CVE-2024-1234)
- Source database
- Severity level
- Link to the advisory

### Export

Export your SBOM in industry-standard formats:

1. Select a format:
   - **CycloneDX 1.5** — JSON format widely supported by security tools
   - **SPDX 2.3** — Linux Foundation standard for license compliance
2. Click **Export**
3. The SBOM downloads as a JSON file

::: tip
SBOM exports are useful for compliance audits, customer security questionnaires, and supply chain transparency requirements.
:::

## License Compliance Tab

The license compliance tab helps you understand your licensing obligations.

### Copyleft Warning

If any dependencies use copyleft licenses (GPL, AGPL, LGPL, MPL), a warning banner appears listing the affected packages and noting that they may impose distribution requirements.

### License Distribution

A horizontal bar chart visualizes the percentage breakdown of licenses across your dependencies.

### License Table

A detailed table lists every license found, with:

| Column | Description |
|--------|-------------|
| License | License identifier |
| Type | **Copyleft** or **Permissive** badge |
| Packages | List of packages using this license |
| Count | Number of packages |

**Copyleft licenses** (flagged as potentially restrictive):
- GPL-2.0, GPL-3.0
- AGPL-3.0
- LGPL-2.1, LGPL-3.0
- MPL-2.0

**Permissive licenses** (generally safe for commercial use):
- MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, etc.

## Compare Tab

Compare the dependency profiles of two repositories side by side.

1. Select **Repository A** from the first dropdown
2. Select **Repository B** from the second dropdown
3. View the diff results:

| Section | Description |
|---------|-------------|
| **Only in A** | Packages present in repo A but not in repo B |
| **Only in B** | Packages present in repo B but not in repo A |
| **Version Diffs** | Same package, different versions between repos |
| **Common** | Count of packages that match exactly |

This is useful for:
- Auditing consistency across microservices
- Identifying dependency drift between environments
- Planning dependency upgrades across projects