Skip to main content

Review License Findings in Your Dependency Inventory

Export a CycloneDX SBOM that records per-component licenses, review the license fields alongside a readable report, and flag copyleft and other obligations for legal review.

Difficulty
Intermediate
Duration
16 minutes
Steps
5

Every dependency carries a license, and some licenses impose obligations you must honor when you ship. A CycloneDX SBOM records component licenses, making it the natural place to review them. This tutorial exports an SBOM and a report, then reviews license findings.

Prerequisites

  • Node.js installed
  • A project with dependencies

Steps

1. Install the CLI

npm i -g @vibgrate/cli

2. Scan the project

vg

The scan inventories your dependencies, capturing the metadata the SBOM records, including licenses where available.

3. Export the SBOM

Export a CycloneDX SBOM, which records license information per component:

vg sbom export --format cyclonedx --out sbom.cdx.json

4. Review license fields

Open sbom.cdx.json and inspect each component's license field. CycloneDX records the declared license per component, letting you scan for permissive licenses, copyleft licenses, and any components with missing or unusual license declarations. Pair this with a readable report:

vg report

5. Flag obligations

Copyleft and other reciprocal licenses can impose distribution obligations. Flag any such components from the SBOM for legal or compliance review before you ship.

Verification

vg sbom export exits 0 and sbom.cdx.json contains license fields for its components. The report provides a readable companion view.

Next Steps

Produce this SBOM in your release pipeline so license posture is captured per version, and archive it as part of your compliance evidence.

Prerequisites

  • Node.js installed
  • A project with dependencies

Steps

  • 1
    Install the CLI
  • 2
    Scan the project
  • 3
    Export the SBOM
  • 4
    Review license fields
  • 5
    Flag obligations

Category

Vibgrate