{"id":"65e8acae-e8cf-4210-a116-581507e35f7c","task":"Enforce license compliance policy across all dependencies using SBOM license data","domain":"security-general","steps":["Generate an SBOM for your project that includes SPDX license expression fields for all components","Define a license policy that lists allowed, restricted, and forbidden license identifiers for your organization and use case","Run a license compliance tool (e.g., ORT, licensee, or a custom Rego policy) that evaluates each component's license against the policy","Flag any component with a forbidden or unknown license and block the build or generate a violation report","For restricted licenses, require a manual exception approval before allowing the dependency","Review and update the license policy at least annually as license categories or organizational requirements change"],"gotchas":["SPDX license expressions can be compound (e.g., Apache-2.0 OR MIT); policy tools must evaluate the full expression rather than treating it as a single token","Many packages declare licenses in multiple places (package manifest, SPDX field, license file) and they may disagree; the SBOM-recorded value may not reflect the authoritative license if the SBOM generator made a poor inference","Copyleft obligations for libraries differ depending on how the library is linked (static vs dynamic) and the intended distribution model; automated tools cannot determine link type and may produce incorrect compliance signals"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/65e8acae-e8cf-4210-a116-581507e35f7c"}