security_audit_sbom_license_policy
ActiveTool of DataNexus MCP
Audit a CycloneDX or SPDX SBOM against an SPDX licence policy and return a PASS/WARN/BLOCK verdict. sbom: Full SBOM as a JSON string — CycloneDX or SPDX format. Required. 500 KB max. policy: Optional dict with block/warn/allow arrays of exact SPDX licence identifiers (e.g. GPL-3.0, MIT). Defaults to block GPL-3.0 and AGPL-3.0, warn LGPL-2.1/MPL-2.0/BSD-4-Clause, allow MIT/Apache-2.0/BSD-2-Clause/BSD-3-Clause. No glob patterns — exact SPDX IDs only. Unlisted licences default to WARN. Returns verdict (PASS/WARN/BLOCK), blocked_packages, warned_packages, and the policy applied. Use security_audit_sbom_vulnerabilities for CVE auditing instead. Sources: deps.dev (Google). 1-hour cache per package. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_audit_sbom_license_policy", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".
Parameters schema
{
"type": "object",
"required": [
"sbom"
],
"properties": {
"sbom": {
"type": "string",
"description": "CycloneDX or SPDX SBOM as JSON string. Required. 500 KB max."
},
"policy": {
"anyOf": [
{
"type": "object",
"additionalProperties": true
},
{
"type": "null"
}
],
"default": null,
"description": "Policy dict with block/warn/allow arrays of SPDX licence IDs. Optional."
}
},
"additionalProperties": false
}No endpoints wrapped at confidence ≥ 0.50.
Parent server
DataNexus MCP
1/7 registries