Chapter 4. SBOM Diff & License Policy

Why this

Vulns rise when new deps quietly appear. A small SBOM diff catches supply-chain drift. A license allowlist avoids last-minute release blockers.

1) Produce today’s SBOM

You already get ./artifacts/sbom.json from make sbom or make ci. If not:

make sbom   # ensures artifacts/sbom.json exists

2) Keep a baseline and diff

  • Create or update a dated copy after each “release”:
make sbom-snapshot
  • Compare current SBOM to the previous release (the script auto-detects sensible pairs):
make sbom-diff

Artifact: artifacts/sbom-diff.txt shows ADDED/REMOVED packages (name@version) and a short summary.

3) License allowlist (policy you can enforce)

Create an allowlist at repo root:

#MBBAIMISSpSPlTDDaCLi--c-c23h2e--e.nCC-0sll2eaa.suu0-ssaeellowlist.txt

Scan licenses found in the SBOM:

make license-scan

Artifact: artifacts/license-scan.txt includes:

  • counts per license
  • any UNKNOWN licenses
  • any DISALLOWED licenses (not in your allowlist)

4) (Optional) Gate on licenses (WARN→BLOCK later)

Keep WARN mode for the MVP. When ready to enforce:

PROMOTE_BLOCK=1 make license-gate

Checklist

  • artifacts/sbom.json present (today)
  • A dated SBOM baseline kept (at least one)
  • artifacts/sbom-diff.txt reviewed (ADDED/REMOVED)
  • licenses-allowlist.txt committed
  • artifacts/license-scan.txt shows 0 DISALLOWED (or exception recorded)