Re: SPDX Generator with RefIDs and package hierarchy
toggle quoted message Show quoted text
I take it by refID you’re referring to the SPDX ID for the packages.
There are a few tools out that that can build SBOM’s with the dependency maps. You can find information on some of the tools here: https://spdx.dev/resources/tools/ - but I’ll admit this page may not be completely up to date and doesn’t answer your question specifically.
I will point to one of the tools I maintain – the SPDX Maven Plugin. This provides a “documentDescribes” SPDX Package for the package being built by Maven and dependency information for all Packages referenced. By default, transitive dependencies are included in the SBOM – but there is an option to turn that off and only include the top level dependencies.
I believe the opensbom-generator also produces SBOM’s with the dependency information – but those on this email list maintaining this repo can correct me if I’m wrong.
Other’s – feel free to chime in with other tools.
From: spdx@... <spdx@...> On Behalf Of daniel@...
Sent: Thursday, March 9, 2023 10:39 AM
Subject: [spdx] SPDX Generator with RefIDs and package hierarchy