Authors: Jeff Mendoza and Gary O’Neall

Open Source licensing is a cornerstone of modern software development, enabling organizations to accelerate innovation by reusing existing components. However, accurately capturing licensing details in SBOMs (Software Bill of Materials) at scale is often challenging. Incomplete or inconsistent license data can lead to compliance risks, particularly when dealing with obligations such as attribution or source code distribution.

ClearlyDefined, a project of the Open Source Initiative (OSI), helps address this issue by enabling organizations to easily enrich SBOMs with comprehensive software licensing data. Organizations are also able to contribute back with any missing or wrongly identified licensing data, helping to crowdsource a database that is accurate for the benefit of all.

In this article, we’ll present cdsbom, a tool to enhance SBOMs with ClearlyDefined’s licensing metadata. We’ll also showcase Linux Foundation’s use of ClearlyDefined and cdsbom. This integration helps Linux Foundation projects to gain deeper insights into their software supply chains, enabling more effective risk management and compliance tracking.

Installing cdsbom

cdsbom is a tool developed by Jeff Mendoza that helps enrich SBOMs with detailed licensing metadata, making it easier to understand and manage Open Source components in your projects. The installation is pretty straightforward:

Installing:

go install github.com/jeffmendoza/cdsbom@latest

Make sure $GOBIN is in your path.

$GOBIN defaults to $GOPATH/bin

$GOPATH defaults to $HOME/go on Unix and %USERPROFILE%go on Windows

Using:

cdsbom -out enhanced-sbom.json input-sbom.json

This will read input-sbom.json and query ClearlyDefined for License information. The License fields in the SBOM will be replaced to use the license data returned from ClearlyDefined. A new sbom will be written to enhanced-sbom.json with the updated fields in the same format as the input sbom.

Supported formats are the same as Protobom. This project is possible due to Protobom for SBOM parsing, and GUAC sw-id-core to convert PURL to ClearlyDefined Coordinates. 

Case Study: Linux Foundation

The Linux Foundation provides key projects SPDX SBOMs and license analysis based on scanning source files and source project metadata (“Source” SBOMs).  A tool chain consisting of Open Source tools generates the final SBOM files orchestrated by the scaffold tool.

We recently added cdsbom into the tool chain to enrich the license metadata.  The integration was very straightforward due to the support of standard SBOM formats – especially SPDX which is used by scaffold.  The result is much higher quality license information.

After working through a few minor issues, cdsbom is now in regular use at the Linux Foundation, which hosts over 1,200 projects. While we don’t scan them all, we audit several hundred projects to ensure proper license compliance. This means when someone uses our code, they can trust it follows the stated Open Source license.

Going forward, we’re looking into improving the cdsbom performance through caching the license data as some of the SBOMs can be quite large and there are typically multiple requests for license data for the same project dependencies.

Final considerations

Accurate and reliable licensing information is essential for ensuring compliance and mitigating legal risks in Open Source software adoption. By enriching SBOMs using ClearlyDefined, organizations gain a more complete and precise view of the licenses governing their dependencies, reducing the likelihood of unintended license violations. This not only strengthens compliance efforts but also fosters greater confidence in using Open Source at scale.

ClearlyDefined creates a shared resource that benefits the entire ecosystem. Users who make use of  ClearlyDefined’s data can also contribute back by identifying and correcting gaps in licensing information. This collaborative approach helps build a more accurate and up-to-date crowdsourced database, ensuring that the broader Open Source community—including maintainers, enterprises, and compliance teams—has access to high-quality software license data.

Resources

To learn more about cdsbom, ClearlyDefined, and SBOMs at the Linux Foundation, please check these video recordings:

Discover Dependency License Information Using SBOMs and ClearlyDefined – Jeff Mendoza (presented at FOSDEM 2025).

Using SBOMs for Linux Foundation Projects – Jeff Shapiro & Gary O’Neall (presented at the Open Source Summit NA 2025).

Authors

Jeff Mendoza: interested in dependency scanning and management for supply chain security and legal compliance. – Member of the Technical Steering Committee for ClearlyDefined, an OSI project – Maintainer of GUAC, an OpenSSF Incubating project – Member of the Steering Committee for Scorecard, an OpenSSF Incubating project – Maintainer of Allstar, part of Scorecard, an OpenSSF Incubating project – Software Engineer at Kusari.

Gary O’Neall: a contributor to the Software Package Data Exchange® (SPDX) – an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools. Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.

We would also like to thank Alyssa Wright (Bloomberg), Chaim Haas (Bloomberg), and Jeff Saphiro (Linux Foundation) for their contributions.

Source: opensource.org