Classifying licenses and resolving component licenses in the Software Bill of Materials workspace

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Classifying licenses and resolving component licenses in the Software Bill of Materials workspace

    In the ServiceNow Software Bill of Materials (SBOM) workspace, you can classify and resolve (match) software licenses to components contained in your SBOM files. This capability helps you assess and manage license compliance for proprietary, open-source, and vendor-supplied software components used in your applications. By accurately classifying and resolving licenses, you reduce risks associated with non-compliance to internal policies and regulatory requirements.

    Show full answer Show less

    License Administration Module

    The License administration module is central to managing licenses within the SBOM workspace. It allows you to:

    • Classify licenses for uploaded components that lack classification.
    • Resolve licenses by matching them to specific components.
    • Visualize overall license compliance, including the percentage of components out of compliance, on the Home page.
    • Automatically expand the license database with unique licenses detected in each SBOM upload.

    Licenses are classified into four categories: Permitted, Restricted, Banned, and Unclassified. This classification supports ongoing license management and compliance monitoring.

    Viewing and Managing License Data

    You can access license data and component license statuses in two main ways:

    • Components Page: Displays a visualization card showing license compliance status by category (Banned, Classification Required, Permitted, Restricted). Selecting a component reveals detailed license information.
    • License Classification Page: Shows counts of unique licenses detected, categorized by their classification status. Newly detected licenses default to “Classification Required” and must be reviewed before resolution.

    License records are stored in the snsbomlicense table, and classification must be completed before licenses can be resolved and accurate compliance can be determined.

    Roles and Responsibilities

    Managing licenses involves two key roles with specific permissions:

    • License Manager (snsbomresponse.managelicense role): Responsible for classifying new licenses as permitted, restricted, or banned. Cannot resolve licenses unless also granted the resolver role.
    • License Resolver (snsbomresponse.licenseresolver role): Responsible for resolving classified licenses by matching them to components for compliance assessment. Cannot classify licenses unless also granted the manager role.

    These roles enable separation of duties and ensure controlled license management processes.

    Best Practices

    • Regularly review and classify new licenses to keep the number of unclassified licenses low.
    • Check for new SBOM uploads to identify and classify any new licenses promptly.
    • License resolvers should frequently review updated classifications to resolve licenses and maintain accurate compliance reporting.

    Classify licenses and resolve (match) them to components, or create licenses in the License administration module in the SBOM workspace. Classifying and matching licenses to your components permits you determine your license compliance for the proprietary, open-source, and vendor-supplied software components you upload in your SBOM files.

    License data and third-party software

    As organizations build more of their own software applications, they are using open-source components and vendor-supplied software. Using third-party and open-source components provide you with many advantages for the rapid creation and release of your software projects, however, using these components comes with licensing risks:

    • Open-source and vendor-supplied software components at times have dependencies on other components, and each component might have its own licensing requirements.
    • If you’re not compliant with the terms of your licenses for the components and software in your applications, you might inadvertently ship code that violates your internal policies and regulatory licensing requirements.

    The License administration module

    The License administration module in the SBOM Workspace permits you to perform the following tasks.
    • Classify licenses that require it for the components you upload with your SBOM files.
    • Resolve each license you classify to a specific component.
    • See what percentage of the components you are using are out of compliance on a data visualization on the Home page. You can use this information to help you determine your overall security posture and potential risk exposure.
    If the SBOM files you upload include license information, the license database grows automatically as unique licenses are observed on each SBOM upload. With each SBOM upload, you can build a database of uploaded licenses and then classify them if necessary with the License administration module in the SBOM Workspace. You build an inventory of licenses so that you can assign them to components after you classify them in one of the following categories:
    • Permitted
    • Restricted
    • Banned
    • Unclassified

    Legal personnel, license managers, compliance, and regulatory managers perform tasks in the License administration module.

    Viewing uploaded license data

    You have the following options to view any license information you've uploaded with your components in the SBOM Workspace.
    • Navigate to Workspaces > SBOM Workspace > Components.
      On the Components page the License classification of components card displays a visualization of your overall license compliance with the following categories.
      Category Description
      Banned Licensed usage is not permitted.
      Classification required License is not yet classified and requires a review.
      Permitted Licensed usage is permitted without restriction.
      Restricted Licensed usage is not permitted in specific use cases.

      This snapshot uses the classifications and resolved license information you enter in the License administration module to calculate your over-all license compliance.

      If you select a component record from this list, you can view the component's license information along with other information in the State field.

    • Alternatively, navigate to Workspaces > SBOM Workspace > License administration > License classification.
      This page tracks the total number of unique licenses that have been detected from the SBOM files you’ve uploaded. It also filters them in cards along the top of the page in the following categories.
      • Unclassified - License requires review and classification.
      • Banned - License usage is not permitted.
      • Restricted - License is not permitted in specific use cases.
      • Permitted - License usage is permitted without restriction.
      • All licenses - Total count of licenses.
      All the components in your organization are using one of the licenses that is listed on this page. When a new license is detected from an SBOM upload, a record is created and stored in the SBOM license [sn_sbom_license] table and added to this list. It’s classification by default is, Classification Required. License records in this state must be reviewed and classified before you can resolve (match) them to components so your overall license compliance is accurately calculated.

      For information on how to classify licenses, see Classify imported licenses in the Software Bill of Materials Workspace.

    Roles

    New licenses must be classified by a user with the sn_sbom_response.managelicense role. This user views uploaded license information and determines which licenses are permitted and which are banned. Users with this role cannot view the Component license resolution module unless they have the sn_sbom_response.licenseresolver role.

    After classification, licenses must be resolved by a user with the sn_sbom_response.licenseresolver role so that your over-all license compliance can be determined. This user resolves licenses to components. Users with this role cannot view the License Classification module unless they have the sn_sbom_response.managelicense role.

    Classifying new license information is an ongoing process. You might prefer to keep the total number displayed on the Unclassified card low. As a license manager, you might prefer to check for licenses that need classification every few days and after you upload SBOM files.

    As a license resolver, you might prefer to check for updated classified licenses every few days.