\n
![](\"https:\/\/plus.maciejpiasecki.info\/wp-content\/uploads\/2025\/08\/2122.png\")
\nSource: opensource.org <\/p>\n","protected":false},"excerpt":{"rendered":"
Authors: Jeff Mendoza and Gary O\u2019Neall<\/p>\n
Open Source licensing is a cornerstone of modern software development, enabling organizations to accelerate innovation by reusing existing components. However, accurately capturing licensing details in SBOMs (Software Bill of Materials) at scale is often challenging. Incomplete or inconsistent license data can lead to compliance risks, particularly when dealing with obligations such as attribution or source code distribution.<\/p>\n
ClearlyDefined, a project of the Open Source Initiative (OSI), helps address this issue by enabling organizations to easily enrich SBOMs with comprehensive software licensing data. Organizations are also able to contribute back with any missing or wrongly identified licensing data, helping to crowdsource a database that is accurate for the benefit of all.<\/p>\n
In this article, we\u2019ll present cdsbom, a tool to enhance SBOMs with ClearlyDefined\u2019s licensing metadata. We\u2019ll also showcase Linux Foundation\u2019s use of ClearlyDefined and cdsbom. This integration helps Linux Foundation projects to gain deeper insights into their software supply chains, enabling more effective risk management and compliance tracking.<\/p>\n
Installing cdsbom<\/p>\n
cdsbom is a tool developed by Jeff Mendoza that helps enrich SBOMs with detailed licensing metadata, making it easier to understand and manage Open Source components in your projects. The installation is pretty straightforward:<\/p>\n
Installing:<\/p>\n
go install github.com\/jeffmendoza\/cdsbom@latest<\/p>\n
Make sure $GOBIN is in your path.<\/p>\n
$GOBIN defaults to $GOPATH\/bin<\/p>\n
$GOPATH defaults to $HOME\/go on Unix and %USERPROFILE%go on Windows<\/p>\n
Using:<\/p>\n
cdsbom -out enhanced-sbom.json input-sbom.json<\/p>\n
This will read input-sbom.json and query ClearlyDefined for License information. The License fields in the SBOM will be replaced to use the license data returned from ClearlyDefined. A new sbom will be written to enhanced-sbom.json with the updated fields in the same format as the input sbom.<\/p>\n
Supported formats are the same as Protobom. This project is possible due to Protobom for SBOM parsing, and GUAC sw-id-core to convert PURL to ClearlyDefined Coordinates.\u00a0<\/p>\n
Case Study: Linux Foundation<\/p>\n
The Linux Foundation provides key projects SPDX SBOMs and license analysis based on scanning source files and source project metadata (\u201cSource\u201d SBOMs).\u00a0 A tool chain consisting of Open Source tools generates the final SBOM files orchestrated by the scaffold tool.<\/p>\n
We recently added cdsbom into the tool chain to enrich the license metadata.\u00a0 The integration was very straightforward due to the support of standard SBOM formats \u2013 especially SPDX which is used by scaffold.\u00a0 The result is much higher quality license information.<\/p>\n
After working through a few minor issues, cdsbom is now in regular use at the Linux Foundation, which hosts over 1,200 projects. While we don\u2019t scan them all, we audit several hundred projects to ensure proper license compliance. This means when someone uses our code, they can trust it follows the stated Open Source license.<\/p>\n
Going forward, we\u2019re looking into improving the cdsbom performance through caching the license data as some of the SBOMs can be quite large and there are typically multiple requests for license data for the same project dependencies.<\/p>\n
Final considerations<\/p>\n
Accurate and reliable licensing information is essential for ensuring compliance and mitigating legal risks in Open Source software adoption. By enriching SBOMs using ClearlyDefined, organizations gain a more complete and precise view of the licenses governing their dependencies, reducing the likelihood of unintended license violations. This not only strengthens compliance efforts but also fosters greater confidence in using Open Source at scale.<\/p>\n
ClearlyDefined creates a shared resource that benefits the entire ecosystem. Users who make use of\u00a0 ClearlyDefined\u2019s data can also contribute back by identifying and correcting gaps in licensing information. This collaborative approach helps build a more accurate and up-to-date crowdsourced database, ensuring that the broader Open Source community\u2014including maintainers, enterprises, and compliance teams\u2014has access to high-quality software license data.<\/p>\n
Resources<\/p>\n
To learn more about cdsbom, ClearlyDefined, and SBOMs at the Linux Foundation, please check these video recordings:<\/p>\n
Discover Dependency License Information Using SBOMs and ClearlyDefined \u2013 Jeff Mendoza (presented at FOSDEM 2025).<\/p>\n
Using SBOMs for Linux Foundation Projects \u2013 Jeff Shapiro & Gary O\u2019Neall (presented at the Open Source Summit NA 2025).<\/p>\n
Authors<\/p>\n
Jeff Mendoza: interested in dependency scanning and management for supply chain security and legal compliance. \u2013 Member of the Technical Steering Committee for ClearlyDefined, an OSI project \u2013 Maintainer of GUAC, an OpenSSF Incubating project \u2013 Member of the Steering Committee for Scorecard, an OpenSSF Incubating project \u2013 Maintainer of Allstar, part of Scorecard, an OpenSSF Incubating project \u2013 Software Engineer at Kusari.<\/p>\n
Gary O\u2019Neall: a contributor to the Software Package Data Exchange\u00ae (SPDX) \u2013 an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools. Gary O\u2019Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.<\/p>\n
We would also like to thank Alyssa Wright (Bloomberg), Chaim Haas (Bloomberg), and Jeff Saphiro (Linux Foundation) for their contributions.
\n
\nSource: opensource.org
<\/p>\n","protected":false},"excerpt":{"rendered":"
Authors: Jeff Mendoza and Gary O\u2019Neall Open Source licensing is a cornerstone of modern software development, enabling organizations to accelerate […]<\/p>\n","protected":false},"author":64,"featured_media":17515,"comment_status":"false","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-17514","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mp"],"_links":{"self":[{"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/posts\/17514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/users\/64"}],"replies":[{"embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/comments?post=17514"}],"version-history":[{"count":1,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/posts\/17514\/revisions"}],"predecessor-version":[{"id":17516,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/posts\/17514\/revisions\/17516"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/media\/17515"}],"wp:attachment":[{"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/media?parent=17514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/categories?post=17514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/plus.maciejpiasecki.info\/index.php\/wp-json\/wp\/v2\/tags?post=17514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}