The open-source license layer your legal team has been missing
Every SBOM is also a license inventory. SBOMVault turns the components in your software into the answers legal actually needs: what licenses you ship, what obligations they carry, where copyleft and unlicensed code hide, and the attribution notices you owe — defensible, current, and exportable.
The challenges we hear
License risk surfaces at the worst possible moment
A copyleft or unlicensed dependency three levels deep goes unnoticed until M&A due diligence, a financing round, or a major enterprise deal puts it under a microscope. By then it is an emergency, not a process.
Transitive licenses are invisible
Legal can review the libraries engineering chose. The 80% that arrived transitively — the licenses nobody read — are exactly where AGPL, SSPL, and no-license-at-all components hide.
Attribution notices are assembled by hand
Shipping a product means shipping a complete, accurate third-party notices file. Hand-assembling it from spreadsheets is slow, error-prone, and stale the moment the next release goes out.
No shared source of truth between legal and engineering
Engineering lives in the SBOM; legal lives in a spreadsheet. Without a shared, current inventory, every license question becomes a fire drill across two teams.
Copyleft in a proprietary product
A single strong-copyleft component in distributed, proprietary software can create source-disclosure obligations that change how — or whether — you can ship. You need to catch it before release, not after.
Unlicensed components grant no rights
A dependency with no detected license is not free — it is one you have no legal right to use. These need to be found and resolved, not silently shipped.
How SBOMVault helps
01
Org-wide License Center
Every distinct license across every product, classified by legal category — permissive, weak / strong / network copyleft, or unknown — with the components and products that use each one.
02
Obligation tracking
For each license, the concrete obligations you owe: attribution, source disclosure, same-license, network-use source offers. No guesswork about what a license actually requires.
03
License policy enforcement
Define allow, flag, and block lists of SPDX licenses. The policy is evaluated continuously against every SBOM, so a blocked license in a new release is a violation you see immediately.
04
Conflict & copyleft detection
Automatic detection of incompatible license combinations and copyleft components in distributed software — the issues that derail a deal if found late.
05
One-click attribution notices
Generate a complete THIRD-PARTY-NOTICES document — grouped by license, per product or org-wide — as text or HTML. Always current, because it is generated from the live SBOM.
06
A shared source of truth
Legal and engineering work from the same continuously-updated inventory. License questions become a query, not a cross-team investigation.
Every
transitive dependency and its license, inventoried automatically
1 click
to a complete, current third-party attribution notices file
Continuous
policy evaluation across every product, every release
“Open-source license review used to be a frantic spreadsheet exercise before every diligence cycle. Having the inventory, the obligations, and the attribution file generated straight from our SBOMs turned it into a standing process instead of a fire drill.”
Associate General Counsel · Enterprise software company