Sharang Parnerkar
7e12d1433a
Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #4
3.3 KiB
SBOM & License Compliance
The SBOM (Software Bill of Materials) feature provides a complete inventory of all dependencies across your repositories, with vulnerability tracking and license compliance analysis.
The SBOM page has three tabs: Packages, License Compliance, and Compare.
Packages Tab
The packages tab lists all dependencies discovered during scans.
Filtering
Use the filter bar to narrow results:
- Repository — Select a specific repository or view all
- Package Manager — npm, cargo, pip, go, maven, nuget, composer, gem
- Search — Filter by package name
- Vulnerabilities — Show all packages, only those with vulnerabilities, or only clean packages
- License — Filter by specific license (MIT, Apache-2.0, BSD-3-Clause, GPL-3.0, etc.)
Package Details
Each package row shows:
| Column | Description |
|---|---|
| Package | Package name |
| Version | Installed version |
| Manager | Package manager (npm, cargo, pip, etc.) |
| License | License identifier with color-coded badge |
| Vulnerabilities | Count of known vulnerabilities (click to expand) |
Vulnerability Details
Click the vulnerability count to expand inline details showing:
- Vulnerability ID (e.g. CVE-2024-1234)
- Source database
- Severity level
- Link to the advisory
Export
Export your SBOM in industry-standard formats:
- Select a format:
- CycloneDX 1.5 — JSON format widely supported by security tools
- SPDX 2.3 — Linux Foundation standard for license compliance
- Click Export
- The SBOM downloads as a JSON file
::: tip SBOM exports are useful for compliance audits, customer security questionnaires, and supply chain transparency requirements. :::
License Compliance Tab
The license compliance tab helps you understand your licensing obligations.
Copyleft Warning
If any dependencies use copyleft licenses (GPL, AGPL, LGPL, MPL), a warning banner appears listing the affected packages and noting that they may impose distribution requirements.
License Distribution
A horizontal bar chart visualizes the percentage breakdown of licenses across your dependencies.
License Table
A detailed table lists every license found, with:
| Column | Description |
|---|---|
| License | License identifier |
| Type | Copyleft or Permissive badge |
| Packages | List of packages using this license |
| Count | Number of packages |
Copyleft licenses (flagged as potentially restrictive):
- GPL-2.0, GPL-3.0
- AGPL-3.0
- LGPL-2.1, LGPL-3.0
- MPL-2.0
Permissive licenses (generally safe for commercial use):
- MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, etc.
Compare Tab
Compare the dependency profiles of two repositories side by side.
- Select Repository A from the first dropdown
- Select Repository B from the second dropdown
- View the diff results:
| Section | Description |
|---|---|
| Only in A | Packages present in repo A but not in repo B |
| Only in B | Packages present in repo B but not in repo A |
| Version Diffs | Same package, different versions between repos |
| Common | Count of packages that match exactly |
This is useful for:
- Auditing consistency across microservices
- Identifying dependency drift between environments
- Planning dependency upgrades across projects