I'm doing license check in my company (for audit). It's easy to do in each microservice (I will just run mvn project-info-reports:dependencies and will get the report), but we have several hundred spring boot microservices and they mostly use dependencies from Spring BOM, so it would be great to minimize number of repositories to check. Does Spring Boot team have some requirement for managed dependencies in BOM, more specifically that they must have permissive OSS license (like Apache, MIT etc.)?
Spring projects do not have such a requirement. Even if Spring projects tried to ensure that only libraries using certain OSS licences were included in BOMs, you would likely still need to check the licences of the entire transitive dependency graph, not just the libraries directly referenced by Spring BOMs.
You can get the dependency graph at build time, but another way to do this would be to generate an SBOM for each jar or war that is built, and check the built archives. SBOM formats are standardized, so there are likely tools with knowledge of the standards that can perform checks.
See the CycloneDX Maven plugin documentation for an example. Starting with version 3.3, Spring Boot has support for SBOMs in generated jars.