Re: SPDX Generator with RefIDs and package hierarchy

Home Messages Hashtags Subgroups

#1635

Re: SPDX Generator with RefIDs and package hierarchy

Gary O'Neall #1635 Hi Daniel, I take it by refID you’re referring to the SPDX ID for the packages. There are a few tools out that that can build SBOM’s with the dependency maps. You can find information on some of the tools here: https://spdx.dev/resources/tools/ - but I’ll admit this page may not be completely up to date and doesn’t answer your question specifically. I will point to one of the tools I maintain – the SPDX Maven Plugin. This provides a “documentDescribes” SPDX Package for the package being built by Maven and dependency information for all Packages referenced. By default, transitive dependencies are included in the SBOM – but there is an option to turn that off and only include the top level dependencies. I believe the opensbom-generator also produces SBOM’s with the dependency information – but those on this email list maintaining this repo can correct me if I’m wrong. Other’s – feel free to chime in with other tools. Regards, Gary toggle quoted message Show quoted text From: spdx@... <spdx@...> On Behalf Of daniel@... Sent: Thursday, March 9, 2023 10:39 AM To: spdx@... Subject: [spdx] SPDX Generator with RefIDs and package hierarchy All, I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package dependency hierarchy information, i.e. something that I could use to build a tree visualization of how the software dependencies are introduced into the main piece of software? Thanks, Daniel
More All Messages By This Member

View All 8 Messages In Topic

#1635

Join {spdx@lists.spdx.org to automatically receive all group messages.

Home Hashtags Subgroups Terms