Automatic License Association #1191
-
|
Hi am trying to understand the capability of Dependency Track to automatically update a licence import from CycloneDX bom. We use Dependency Track to store SBOM within our build pipeline. Currently we are tracking less then 10 projects built on python and NPM. We are running version 4.3.4 I see the licence db within Dependency Track has a full list of OS licences. I am able to manually go into a component and manually update its license from a list. I also see for example the licence name get populated in the SBOM generated by CycloneDX-Python. So my question is does Dependency Track require SPDX License ID to associate a component with a license? Or should I expect that Dependency Track can make this association based on the licence name? If SPDX ID is required any help pointing me to a reference on how to get this from CycloneDX-Python and @cyclonedx/bom would be appreciated. Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
Dependency-Track requires SPDX license IDs to make the association. The Python version is currently being reworked so I'm not sure of the capabilities of it at the moment. |
Beta Was this translation helpful? Give feedback.
-
|
Just confirmed for others who may find this: for NPM adding the " --include-license-text" provides the SPDX ID. Tested with @cyclonedx/bom 3.1.0 |
Beta Was this translation helpful? Give feedback.
Dependency-Track requires SPDX license IDs to make the association. The Python version is currently being reworked so I'm not sure of the capabilities of it at the moment.