Skip to content

[x-license] Expose license / license text for SBOM generators (like cyclonedx package) #22706

Open
Open
[x-license] Expose license / license text for SBOM generators (like cyclonedx package)#22706
Labels
scope: all componentsWidespread work has an impact on almost all components.scope: x-licenseChanges related to @mui/x-license.status: waiting for maintainerThese issues haven't been looked at yet by a maintainer.support: pro standardSupport request from a Pro standard plan user. https://mui.com/legal/technical-support-sla.
@HonorGuardCZ

Description

@HonorGuardCZ
HonorGuardCZ
opened on Jun 8, 2026

Steps to reproduce

Steps:

  1. Have some project using MUI X PRO packages (like x-data-grid-pro)
  2. Run the command for exporting the SBOM, in our case, it's:
npm install --global @cyclonedx/cyclonedx-npm
cyclonedx-npm --package-lock-only --spec-version 1.6 --omit dev --short-PURLs --output-file sbom.cyclonedx.json
  1. Check the generated SBOM and find mui X packages

Current behavior

Currently it returns

   "licenses": [
        {
          "license": {
            "name": "SEE LICENSE IN LICENSE",
            "acknowledgement": "declared"
          }
        }
      ],

Our sbom tool returns following warnings:
WARNING: The license text of component 'x-data-grid-pro' and license 'SEE LICENSE IN LICENSE' has no text.
WARNING: The license text of component 'x-license' and license 'SEE LICENSE IN LICENSE' has no text.
WARNING: The license text of component 'x-telemetry' and license 'SEE LICENSE IN LICENSE' has no text.

Expected behavior

It should use valid SPDX identifier (most probably with prefix LiceseRef) and should return properly the license text.

Context

We use command cyclonedx-npm --package-lock-only --spec-version 1.6 --omit dev --short-PURLs --output-file sbom.cyclonedx.json and content of this command is then used in our sbom generate tool (which packs together all layers of the application).

Your environment

npx @mui/envinfo 
  System:
    OS: Linux 6.17 Debian GNU/Linux 13 (trixie) 13 (trixie)
  Binaries:
    Node: 24.9.0 - /usr/bin/node
    npm: 11.14.1 - /usr/bin/npm
    pnpm: Not Found
  Browsers:
    Chrome: Not Found
    Firefox: Not Found
  npmPackages:
    @base-ui/utils:  0.2.3 
    @emotion/react: 11.14.0 => 11.14.0 
    @emotion/styled: 11.14.1 => 11.14.1 
    @mui/core-downloads-tracker:  7.3.8 
    @mui/icons-material: 7.3.8 => 7.3.8 
    @mui/lab: 7.0.0-beta.14 => 7.0.0-beta.14 
    @mui/material: 7.3.8 => 7.3.8 
    @mui/private-theming:  7.3.8 
    @mui/styled-engine:  7.3.8 
    @mui/system: 7.3.8 => 7.3.8 
    @mui/types:  7.4.11 
    @mui/utils:  7.3.8 
    @mui/x-data-grid:  8.27.1 
    @mui/x-data-grid-pro: 8.27.1 => 8.27.1 
    @mui/x-date-pickers: 8.27.0 => 8.27.0 
    @mui/x-internals:  8.23.0 
    @mui/x-license: 8.26.0 => 8.26.0 
    @mui/x-telemetry:  8.20.0 
    @mui/x-tree-view:  8.23.0 
    @mui/x-virtualizer:  0.3.3 
    @types/react: 19.2.14 => 19.2.14 
    react: 19.2.4 => 19.2.4 
    react-dom: 19.2.4 => 19.2.4 
    typescript: 5.9.3 => 5.9.3

Search keywords: license sbom

Order ID: 44899

Metadata

Metadata

Assignees

No one assigned

    Labels

    scope: all componentsWidespread work has an impact on almost all components.scope: x-licenseChanges related to @mui/x-license.status: waiting for maintainerThese issues haven't been looked at yet by a maintainer.support: pro standardSupport request from a Pro standard plan user. https://mui.com/legal/technical-support-sla.

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions