diff --git a/buildscripts/sbom/generate_sbom.py b/buildscripts/sbom/generate_sbom.py
index 60ac577adcf..c4d4177b3a4 100755
--- a/buildscripts/sbom/generate_sbom.py
+++ b/buildscripts/sbom/generate_sbom.py
@@ -553,12 +553,6 @@ def main() -> None:
         component = endor_bom["components"][i]
         removed = False
         for remove in endor_components_remove:
-            if "components" in endor_bom["metadata"]["component"]:
-                endor_bom["metadata"]["component"]["components"] = [
-                    c
-                    for c in endor_bom["metadata"]["component"]["components"]
-                    if not c.get("bom-ref", "").startswith(remove)
-                ]
             if component["bom-ref"].startswith(remove):
                 logger.info("ENDOR SBOM PRE-PROCESS: removing %s", component["bom-ref"])
                 del endor_bom["components"][i]
diff --git a/buildscripts/sbom/metadata.cdx.json b/buildscripts/sbom/metadata.cdx.json
index 81bae23b5de..7f9f297eaca 100644
--- a/buildscripts/sbom/metadata.cdx.json
+++ b/buildscripts/sbom/metadata.cdx.json
@@ -25,6 +25,21 @@
       "group": "mongodb",
       "name": "mongodb/mongo",
       "version": "{{VERSION}}",
+      "description": "The MongoDB Database",
+      "licenses": [
+        {
+          "license": {
+            "id": "SSPL-1.0",
+            "url": "https://www.mongodb.com/legal/licensing/community-edition"
+          }
+        },
+        {
+          "license": {
+            "name": "MongoDB Enterprise Advanced License",
+            "url": "https://www.mongodb.com/products/self-managed/enterprise-advanced"
+          }
+        }
+      ],
       "cpe": "cpe:2.3:a:mongodb:mongodb:{{VERSION}}:*:*:*:*:*:*:*",
       "purl": "pkg:github/mongodb/mongo@{{VERSION}}",
       "externalReferences": [
diff --git a/buildscripts/sbom/sbom_utils.py b/buildscripts/sbom/sbom_utils.py
index 4ed9dedd27e..552d5a5c8e5 100644
--- a/buildscripts/sbom/sbom_utils.py
+++ b/buildscripts/sbom/sbom_utils.py
@@ -141,8 +141,12 @@ def check_components_and_dependencies(sbom: dict, label: str = "") -> None:
 def reconcile_dependency_refs(sbom: dict) -> None:
     """Add stub dependency entries for missing component refs; remove and warn about orphaned refs."""
     component_refs = {c["bom-ref"] for c in sbom.get("components", [])}
-    if primary_ref := sbom.get("metadata", {}).get("component", {}).get("bom-ref"):
+    meta_component = sbom.get("metadata", {}).get("component", {})
+    if primary_ref := meta_component.get("bom-ref"):
         component_refs.add(primary_ref)
+    for sub in meta_component.get("components", []):
+        if sub_ref := sub.get("bom-ref"):
+            component_refs.add(sub_ref)
     dependency_refs = {d["ref"] for d in sbom.get("dependencies", [])}
 
     missing = component_refs - dependency_refs
diff --git a/buildscripts/sbom_linter.py b/buildscripts/sbom_linter.py
index 9ae50b7573e..87aa18a022a 100644
--- a/buildscripts/sbom_linter.py
+++ b/buildscripts/sbom_linter.py
@@ -129,13 +129,14 @@ def validate_license(component: dict, error_manager: ErrorManager) -> None:
 
         if not valid_license:
             licensing_validate = get_spdx_licensing().validate(expression, validate=True)
-            # ExpressionInfo(
-            #   original_expression='',
-            #   normalized_expression='',
-            #   errors=[],
-            #   invalid_symbols=[]
-            # )
-            valid_license = not licensing_validate.errors or not licensing_validate.invalid_symbols
+            # LicenseRef- prefixed identifiers are valid per the SPDX/CycloneDX spec for custom
+            # or proprietary licenses not in the SPDX catalog; exclude them before checking.
+            non_licenseref_invalid = [
+                s
+                for s in licensing_validate.invalid_symbols
+                if not str(s).lower().startswith("licenseref-")
+            ]
+            valid_license = not licensing_validate.errors or not non_licenseref_invalid
             if not valid_license:
                 error_manager.append_full_error_message(licensing_validate)
                 return
diff --git a/buildscripts/tests/sbom_linter/inputs/sbom_licenseref.json b/buildscripts/tests/sbom_linter/inputs/sbom_licenseref.json
new file mode 100644
index 00000000000..63702223f28
--- /dev/null
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_licenseref.json
@@ -0,0 +1,44 @@
+{
+  "properties": [
+    {
+      "name": "comment",
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+    }
+  ],
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
+      "supplier": {
+        "name": "Austin Appleby"
+      },
+      "author": "Austin Appleby",
+      "group": "aappleby",
+      "name": "MurmurHash3",
+      "version": "a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
+      "licenses": [
+        {
+          "expression": "LicenseRef-custom-proprietary"
+        }
+      ],
+      "purl": "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
+      "properties": [
+        {
+          "name": "internal:team_responsible",
+          "value": "Storage Execution"
+        }
+      ],
+      "evidence": {
+        "occurrences": [
+          {
+            "location": "src/third_party/murmurhash3"
+          }
+        ]
+      },
+      "scope": "required"
+    }
+  ]
+}
diff --git a/buildscripts/tests/sbom_linter/test_sbom.py b/buildscripts/tests/sbom_linter/test_sbom.py
index 049c342f4db..844746266ab 100644
--- a/buildscripts/tests/sbom_linter/test_sbom.py
+++ b/buildscripts/tests/sbom_linter/test_sbom.py
@@ -142,6 +142,14 @@ class TestSbom(unittest.TestCase):
             error_manager.print_errors()
         self.assertTrue(error_manager.zero_error())
 
+    def test_licenseref_license(self):
+        test_file = os.path.join(self.input_dir, "sbom_licenseref.json")
+        third_party_libs = {"murmurhash3"}
+        error_manager = sbom_linter.lint_sbom(test_file, test_file, third_party_libs, False)
+        if not error_manager.zero_error():
+            error_manager.print_errors()
+        self.assertTrue(error_manager.zero_error())
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/sbom.json b/sbom.json
index 21a5becb44c..8e1c0648363 100644
--- a/sbom.json
+++ b/sbom.json
@@ -25,6 +25,21 @@
       "group": "mongodb",
       "name": "mongodb/mongo",
       "version": "master",
+      "description": "The MongoDB Database",
+      "licenses": [
+        {
+          "license": {
+            "id": "SSPL-1.0",
+            "url": "https://www.mongodb.com/legal/licensing/community-edition"
+          }
+        },
+        {
+          "license": {
+            "name": "MongoDB Enterprise Advanced License",
+            "url": "https://www.mongodb.com/products/self-managed/enterprise-advanced"
+          }
+        }
+      ],
       "cpe": "cpe:2.3:a:mongodb:mongodb:master:*:*:*:*:*:*:*",
       "purl": "pkg:github/mongodb/mongo@master",
       "externalReferences": [
@@ -63,7 +78,7 @@
       "services": [
         {
           "name": "Endor Labs Inc",
-          "version": "v1.7.968"
+          "version": "v1.7.973"
         }
       ]
     }