Review License Findings in Your Dependency Inventory
Export a CycloneDX SBOM that records per-component licenses, review the license fields alongside a readable report, and flag copyleft and other obligations for legal review.
Every dependency carries a license, and some licenses impose obligations you must honor when you ship. A CycloneDX SBOM records component licenses, making it the natural place to review them. This tutorial exports an SBOM and a report, then reviews license findings.
Prerequisites
- Node.js installed
- A project with dependencies
Steps
1. Install the CLI
npm i -g @vibgrate/cli
2. Scan the project
vg
The scan inventories your dependencies, capturing the metadata the SBOM records, including licenses where available.
3. Export the SBOM
Export a CycloneDX SBOM, which records license information per component:
vg sbom export --format cyclonedx --out sbom.cdx.json
4. Review license fields
Open sbom.cdx.json and inspect each component's license field. CycloneDX records the declared license per component, letting you scan for permissive licenses, copyleft licenses, and any components with missing or unusual license declarations. Pair this with a readable report:
vg report
5. Flag obligations
Copyleft and other reciprocal licenses can impose distribution obligations. Flag any such components from the SBOM for legal or compliance review before you ship.
Verification
vg sbom export exits 0 and sbom.cdx.json contains license fields for its components. The report provides a readable companion view.
Next Steps
Produce this SBOM in your release pipeline so license posture is captured per version, and archive it as part of your compliance evidence.