Re: SPDX Generator with RefIDs and package hierarchy

Gary O'Neall

Hi Daniel,


I take it by refID you’re referring to the SPDX ID for the packages.


There are a few tools out that that can build SBOM’s with the dependency maps.  You can find information on some of the tools here: - but I’ll admit this page may not be completely up to date and doesn’t answer your question specifically.


I will point to one of the tools I maintain – the SPDX Maven Plugin.  This provides a “documentDescribes” SPDX Package for the package being built by Maven and dependency information for all Packages referenced.  By default, transitive dependencies are included in the SBOM – but there is an option to turn that off and only include the top level dependencies.


I believe the opensbom-generator also produces SBOM’s with the dependency information – but those on this email list maintaining this repo can correct me if I’m wrong.


Other’s – feel free to chime in with other tools.




From: spdx@... <spdx@...> On Behalf Of daniel@...
Sent: Thursday, March 9, 2023 10:39 AM
To: spdx@...
Subject: [spdx] SPDX Generator with RefIDs and package hierarchy


I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package dependency hierarchy information, i.e. something that I could use to build a tree visualization of how the software dependencies are introduced into the main piece of software?


Join { to automatically receive all group messages.