Enforce SBOM License Completeness
Type: Rule
ID: sbom-require-complete-license-set
Source: v2/rules/sbom/complete-licenses.yaml
Rego Source: complete-licenses.rego
Labels: SBOM, Image
Verify all dependencies in the artifact have a license.
This rule requires Image SBOM. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by product and target.
Usage example
uses: sbom/complete-licenses@v2
Mitigation
Ensures that all dependencies have a complete set of licenses, reducing the risk of legal issues and ensuring compliance with open-source licenses.
Description
This rule inspects the CycloneDX SBOM evidence for the artifact to verify that all dependencies have a complete set of licenses. It performs the following steps:
- Iterates over the dependencies listed in the SBOM.
- Checks each dependency for the presence of a license.
- If a dependency does not have a license, the rule flags it as a violation.
Evidence Requirements:
- Evidence must be provided in the CycloneDX JSON format.
- The SBOM must include a list of dependencies with their licenses.
Evidence Requirements
| Field | Value |
|---|---|
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |