Every dependency you ship comes with a license, and those licenses carry obligations. This article explains how license information shows up in your Vibgrate SBOM and how to use it to keep your project compliant. It is written for developers and the legal or compliance stakeholders who review their work.
Why licenses matter
Open-source licenses range from permissive (do almost anything) to copyleft (share-alike obligations) to restrictive terms that may be incompatible with commercial distribution. Shipping a dependency whose license conflicts with your distribution model is a real legal risk — and one that is easy to miss when a transitive dependency sneaks in.
Where licenses appear in the SBOM
When Vibgrate exports an SBOM, each component carries its license where the information is available. In CycloneDX output, license data is attached to each component entry; SPDX similarly records license expressions per package. This means a single export gives you a license inventory for your whole dependency graph.
Export the inventory like this:
vg sbom export --format cyclonedx --out sbom.cdx.json
For a procurement or legal process that expects SPDX, export that format instead:
vg sbom export --format spdx --out sbom.spdx.json
Turning the SBOM into a license review
With the SBOM in hand you can:
- Feed it into a license-policy tool that flags disallowed or unknown licenses.
- Build an allowlist of acceptable licenses and review anything outside it.
- Keep the SBOM as evidence that you reviewed licenses at release time.
Handling unknown licenses
Some components do not declare a license cleanly, and these will show as unknown or missing. Treat unknowns as items to investigate rather than ignore — an undeclared license is not the same as a permissive one.
Keeping it current
License exposure changes whenever your dependency graph changes. Re-export the SBOM as part of your release process so your license review always reflects what you actually ship. Teams that push scans to Vibgrate Cloud also get a longer-term view of how their dependency set evolves.
Troubleshooting
- Missing licenses for many packages? Ensure dependencies are fully installed before export so metadata is available.
- Need a specific format for legal? Confirm whether they expect SPDX or CycloneDX and export accordingly.
Related
- "SBOM Formats Supported by Vibgrate CLI" explains CycloneDX vs SPDX.
- "SBOM for Compliance and Audit Evidence" covers retention.
- See the Supply Chain Inventory documentation for governance use.