License scanning support beyond the SPDX list

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem to solve

The External License Database (License DB) feeds GitLab instances with license data for the components used as project dependencies, and listed in project SBOMs. However, the License DB might not have the license info for a specific component. The component might come from:

a private a registry
a public registry that the License DB cannot sync with
a public registry that's not yet supported

Currently, license info is obtained from https://spdx.org/licenses/ but users need a way to add additional license info. beyond what is available via SPDX.

Proposal

Users can overwrite "unknown" license types for a specific component. The custom license info. will be stored on a per-customer basis and would apply to all projects containing the component with the custom license.

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖