Licenses
License identification, expression syntax, and compliance requirements for SBOM components
Software licenses must be identified using standardized identifiers to enable automated license compliance analysis and risk assessment.
License identification requirements
SPDX identifiers for open source — all open source licenses must be identified using SPDX license identifiers (e.g., Apache-2.0, MIT, GPL-3.0-or-later).
Structured format for commercial licenses — commercial and proprietary licenses should include:
- Clear copyright holder identification
- License name or identifier as used by the vendor
- Reference to full license text or agreement number
License expressions — when multiple licenses apply, use SPDX license expressions to accurately represent the licensing terms (e.g., Apache-2.0 OR MIT).
Unknown or unclear licenses — components with unclear licensing must be explicitly marked as such, rather than omitted.
Open source license example
{
"licenses": [
{
"license": {
"id": "Apache-2.0",
"url": "https://www.apache.org/licenses/LICENSE-2.0"
}
}
]
}Commercial license example
{
"licenses": [
{
"license": {
"name": "Example Health Care Systems Commercial License v2.1",
"text": {
"content": "Copyright (c) 2024 Example Health Care Systems AB. All rights reserved.",
"contentType": "text/plain"
},
"url": "https://licenses.example-healthcare.se/v2.1"
}
}
]
}References
| Reference | Notes |
|---|---|
| SPDX License List | Standardized short identifiers |
| SPDX License Expressions | License expression syntax (normative) |