deps.dev License Matcher
Fetches package metadata from deps.dev to improve license coverage.
| Property | Value |
|---|---|
| Matcher name | depsdev-license-matcher |
| Runs by default | No |
| Requires enrichment | Yes |
| Uses network | Yes |
| Cache behavior | Uses Bomly's matcher cache; cache failures are non-fatal. |
| Output fields | license value, license source, matched package flag |
| Tags | license-enrichment, batch-http |
User notes
Run with --enrich when you want license metadata from deps.dev.
What depsdev-license-matcher does
depsdev-license-matcher fetches package metadata from deps.dev (Google's open package metadata service) and attaches license information to packages that the detector did not resolve a license for. deps.dev coverage is strongest for npm, Go, Maven, NuGet, PyPI, Cargo, and RubyGems.
When to use it
Use it when local manifests do not carry enough license information, especially for generated SBOMs or ecosystems where lockfiles omit license fields:
bomly scan --enrich --matchers depsdev-license-matcher # this matcher only
What gets added
Each matched package can gain:
licenses[]entries with normalized SPDX expressionslicenses[].source = external-depsdevmatched = trueon packages that received license data
Bomly only fills packages that do not already have license data. Detector-resolved licenses remain the first source of truth.
Cache and network
The matcher batches version lookups through deps.dev and caches responses for 24 hours under ~/.bomly/cache/licenses/depsdev/. Cache failures are non-fatal: Bomly logs a warning and still applies the API response.
CI recipe
bomly scan \
--path . \
--enrich \
--matchers depsdev-license-matcher
Add --audit --fail-on any only when your policy should fail builds on denied or unknown license findings.