Require Specified SBOM Licenses
Type: Rule
ID: sbom-hf-license
Source: v2/rules/sbom/verify-huggingface-license.yaml
Rego Source: verify-hf-license.rego
Labels: SBOM, Image
Verify the artifact includes all specified licenses.
This rule requires Image SBOM. See here for more details.
Ensure that the SBOM includes all specified licenses to meet compliance requirements. This rule accesses the Hugging Face API to validate the licenses.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by product and target.
Usage example
uses: sbom/verify-huggingface-license@v2
with:
licenses:
- "MIT"
- "Apache-2.0"
Mitigation
Ensures that all specified licenses are included in the SBOM, reducing the risk of legal issues and ensuring compliance with open-source licenses.
Description
This rule verifies that the artifact includes all specified licenses. It performs the following steps:
- Iterates over the dependencies listed in the SBOM.
- Checks each dependency for the presence of the specified licenses in the
with.licensesconfiguration.- If a specified license is missing, the rule flags it as a violation.
- Accesses the Hugging Face API to validate the licenses.
Evidence Requirements:
- Evidence must be provided in the CycloneDX JSON format.
- The SBOM must include a list of dependencies with their licenses.
Evidence Requirements
| Field | Value |
|---|---|
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | cyclonedx-json |
| target_type | container |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| licenses | array | True | A list of specified licenses. |