From 91152b2e7ae155abf6728e6713bde2e50509edd1 Mon Sep 17 00:00:00 2001
From: Lukasz Juranek <juranek.lukasz@gmail.com>
Date: Sat, 31 Jan 2026 08:05:19 +0100
Subject: [PATCH] Add sbom data for baselibs (#2232)

---
 MODULE.bazel | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/MODULE.bazel b/MODULE.bazel
index 75198266..195d790d 100644
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -144,3 +144,17 @@ bazel_dep(name = "score_crates", version = "0.0.6")
 #############################################################
 bazel_dep(name = "platforms", version = "1.0.0")
 bazel_dep(name = "score_bazel_platforms", version = "0.0.4")
+
+# ============================================================================
+# SBOM Metadata - Third-party dependencies for supply chain transparency
+# ============================================================================
+# Usage: Add license info for bazel_dep modules. Version auto-extracted.
+
+sbom = use_extension("@score_tooling//sbom:extensions.bzl", "sbom_metadata")
+
+# License info for bazel_dep modules (version auto-extracted from bazel_dep)
+sbom.license(name = "boost.container", license = "BSL-1.0", supplier = "Boost.org")
+sbom.license(name = "boost.interprocess", license = "BSL-1.0", supplier = "Boost.org")
+sbom.license(name = "nlohmann_json", license = "MIT", supplier = "Niels Lohmann")
+sbom.license(name = "googletest", license = "BSD-3-Clause", supplier = "Google LLC")
+sbom.license(name = "google_benchmark", license = "Apache-2.0", supplier = "Google LLC")