#4 Software Bill of Materials (SBOM) Reports & License Compliance

We will take a look at the SBOM report that our scanners created as well as see the various licenses that our scanners detected

Theme

With the uptick of major security breaches hitting headlines many governments have started to require their developers and those that work with the Government to provide detailed reports on the dependencies of their applications. This section will show you how GitLab creates these reports for you.

• Step 1: Review & Download SBOM report

  • Using the left hand navigation menu click through Security & Compliance > Dependency list to view all of the dependencies that are directly and indirectly included in your application.
  • Click through a few of the components and notice the details that are provided for each vulnerability. The information provided makes it easy to troubleshoot if you need to quickly resolve a security flaw.
  • Next click Export to download the SBOM report in CycloneDX json format. If you then open the download you can see all of the information displayed. To learn more about CycloneDX format go here

• Step 2: License Compliance

  • Using the left hand navigation menu click through the Security & Compliance > License Compliance to view all of the licenses detected in your project. Lets say we decided we no longer want to allow the use of the MIT License, so we can click the Policies tab then click Add license policy.
  • Next type in and search for the MIT License, then select Deny and click Submit.
  • Now if we click the Detected in project tab you will see that the MIT License is denied and violating our set policy.