Automatic License Association

[mdtyler]

Hi am trying to understand the capability of Dependency Track to automatically update a licence import from CycloneDX bom. We use Dependency Track to store SBOM within our build pipeline. Currently we are tracking less then 10 projects built on python and NPM. We are running version 4.3.4

I see the licence db within Dependency Track has a full list of OS licences. I am able to manually go into a component and manually update its license from a list. I also see for example the licence name get populated in the SBOM generated by CycloneDX-Python.

So my question is does Dependency Track require SPDX License ID to associate a component with a license? Or should I expect that Dependency Track can make this association based on the licence name? If SPDX ID is required any help pointing me to a reference on how to get this from CycloneDX-Python and @cyclonedx/bom would be appreciated.

Thanks

[stevespringett]

Dependency-Track requires SPDX license IDs to make the association. The Python version is currently being reworked so I'm not sure of the capabilities of it at the moment.

[mdtyler]

Thanks for the quick reply.

[mdtyler]

Just confirmed for others who may find this: for NPM adding the " --include-license-text" provides the SPDX ID. Tested with @cyclonedx/bom 3.1.0

[stevespringett]

Are you saying that the SPDX license ID is only added when --include-license-text is specified? If so, this is a defect. The SPDX license ID should always be resolved (if available). The --include-license-text should only add the additional text element containing the full license text.

[mdtyler]

I believe so yes.

[mdtyler]

I confirmed our two NPM projects. The one I added the above switch (--include-license-text) has all components with associated licenses. The other one does not and has no licences associated. I did not review the SBOM outputs though. I only reviewed the data in Dependency Track