sbom-license-risk-checker

When to invoke

• You have a CycloneDX SBOM and need to flag packages with disallowed or unknown licenses.
• You want an audit-friendly report that can be used in CI.

Inputs needed

• --sbom: path to a CycloneDX JSON SBOM.
• --policy: path to a JSON license policy containing:
  • allow: list of allowed SPDX identifiers
  • deny: list of denied SPDX identifiers
  • warn: list of licenses that require review

Workflow

1. Load SBOM JSON.
2. Iterate components and extract license identifiers (best-effort).
3. Classify each component:
   • allowed, warn, denied, or unknown
4. Emit JSON report with summary counts and per-component findings.