Discover Dependency License Information Using SBOMs and ClearlyDefined

SBOM specifications provide comprehensive capabilities for expressing license and legal information. However, SBOM generators often leave information missing or incomplete. Compounding this, package authors sometimes fail to clearly describe the license of their package or omit license information for included and vendored files.

ClearlyDefined is a community-curated repository of discovered license information for software packages. Its data is generated by deep scanning tools, such as ScanCode, which uncover legal information that may not be explicitly declared.

This session explores new SBOM tooling, built using Protobom, that queries licenses, produces NOTICE files, augments and outputs new SBOMs, all using high-fidelity legal information from ClearlyDefined.