Scan based on SBOM

[sithmein]

We are developing a microservices based product with around 100 different services. We already create an SBOM (CycloneDX) which contains all ~14,000 different components. A customer now requires that we provide a source file scan for each of these 14,000 dependencies and extract license and copyright information from each individual source file.
Since we already have an SBOM which lists all components with versions I was wondering if there is a way to start a scan from an SBOM. Obviously it requires some way to get the source code from the component coordinates.

Can anyone think of an alternative way to produce this information? It should be possible to run a scan on every individual project but a great deal of the microservices are Docker images that are not maintained by us, all other services are based on common Docker images. How would you run a source code scan and these images?