Snyk-generated SBOMs now include license details for the open source libraries in your projects

We’re excited to announce that SBOMs (software bill of materials) generated by Snyk's tools will include license information! This new capability is part of our ongoing efforts in our Software Supply Chain Security solution. The developer-first tools in the solution help you gain a better understanding of your app’s supply chain, identify potential risks, and take the necessary steps to get ahead of them.

The importance of SBOMs in securing the software supply chain

The majority of modern software is composed of pre-built, open source elements, which can streamline development time but also introduce security vulnerabilities and supply chain risks. In response to regulatory guidelines aimed at mitigating these threats, many organizations are adopting the practice of creating Software Bill of Materials (SBOMs), a detailed inventory of their application's components and dependencies.

An SBOM is similar to a manufacturing bill of materials, providing critical information for buyers and downstream tools. Standardized formats like CycloneDX and SPDX facilitate human-readable and consumable reports. For AppSec teams, this visibility is essential in understanding and addressing supply chain attacks while adhering to regulatory requirements.

However, integrating SBOM creation into the development process can be challenging for developers. Fortunately, tools like Snyk simplify the process by providing a straightforward way to generate SBOMs, giving users clear insights into their application's building blocks (e.g., open source components) and how they interact with each other.

The key takeaway is that creating an SBOM should not hinder innovation, but rather enable developers to prioritize both security and development time, and, ultimately, serve as a tool to help organizations reduce risk.

License risk in software development

SBOMs aren't only for enumerating what's in a piece of software, they're equally crucial to understand the risks associated with open source licenses. One major concern is the perils of licensing agreements that don't provide adequate protection for your intellectual property. For instance, using a license like the MIT License can leave you exposed to potential copyright infringement issues. The fact that the MIT License requires only attribution and does not limit use or distribution can be a double-edged sword - while it provides flexibility, it also makes it easier for others to reuse your code without permission.

Knowing which license types your applications' dependencies use allows you to proactively verify whether or not your applications carry unknown license risks. The license metadata that are now included in Snyk-generated SBOMs can help with license compliance management for legal, risk, and audit teams. SBOMs are often stored in or processed by downstream tools, for example custom policy engines or generating reports for audiences like Legal. Additionally, the license data can help determine required license attribution notices.

License info in your SBOMs with Snyk

Until now, users were forced to rely on workarounds such as editing/annotating SBOMs or enriching with data from other tools. Snyk provides an open source tool, parlay, to enrich SBOMs with data from third-party sources, like ecosyste.ms, which supports information on the licenses associated with each dependency. Snyk already provides license data in other areas of the product, such as its command-line interface (CLI) and web interface, so the logical step was to include it right in generated SBOMs.

In fact, licensing information is one of the key elements recommended by the National Institute of Standards and Technology (NTIA) for inclusion in SBOMs, and it's also a required field by the FDA. This makes it essential for compliance purposes. As a result, developers and AppSec teams have had to resort to manual annotations or workarounds using APIs or tools like Parlay to provide this critical information, which is now available natively within Snyk's SBOMs.

This example shows a snippet of the dependency information the Snyk-generated SBOMs included before the change.

SBOM snippet, before the license information was incorporated:

{
  "bom-ref": "5-github.com/mattn/go-colorable@v0.0.7",
  "group": "github.com/mattn",
  "name": "github.com/mattn/go-colorable",
  "purl": "pkg:golang/github.com/mattn/go-colorable@v0.0.7",
  "type": "library",
  "version": "v0.0.7"
}

In this latest update, Snyk is now including licensing information for supported ecosystems within all generated Software Bill of Materials (SBOMs). This new feature utilizes SPDX expressions to clearly display the license data, allowing for both single licenses and multiple licenses to be detected, even when combined with logical operators.

The added license metadata can be found in two specific locations: in CycloneDX SBOMs as components.licenses.expression, and in SPDX SBOMs as packages.licenseConcluded. This streamlined approach enhances the overall utility of Snyk's SBOM artifacts, providing downstream consumers with a better understanding of the dependencies within an asset and enabling them to make informed decisions about licensing compliance.

The above snippet, with the license info, now looks like this:

SBOM snippet, after the license information was incorporated, with the changes denoted by >:

{
  "bom-ref": "5-github.com/mattn/go-colorable@v0.0.7",
  "group": "github.com/mattn",
  "licenses": [
    {
      "expression": "(MIT AND Apache-2.0)"
    }
  ],
  "name": "github.com/mattn/go-colorable",
  "purl": "pkg:golang/github.com/mattn/go-colorable@v0.0.7",
  "type": "library",
  "version": "v0.0.7"
}

How do I get license information included in my Snyk-generated SBOMs?

When generating an SBOM with Snyk, license metadata will be automatically included by default  for all supported ecosystems, across all environments., That means that you don't have to change anything to include license metadata in your CycloneDX and SPDX format SBOMs, and it will work with SBOMs generated using the Snyk CLI, or the various SBOM generation APIs.