Re: SPDX Generator with RefIDs and package hierarchy

Home Messages Hashtags Subgroups

#1640

Re: SPDX Generator with RefIDs and package hierarchy

Gary O'Neall #1640 Hi Daniel, I’m not sure I agree if you include commercial and open source tools. If you’re generating the information primarily from package manifests, there are a few tools out there that generate SPDX documents across a wide variety of ecosystems. Have you reviewed the tools referenced on spdx.dev/tools? It includes a list of open source tools and a list of commercial tools. Is your question restricted to open source tools? Also, to help understand what you’re looking for, can you let us know which tools that generate CycloneDX SBOM’s you’re referring to? I’m a bit surprised that more tool maintainers didn’t reply earlier beyond what Anthony and I provided. I didn’t want to speak for them, but I’m pretty sure there as some tools maintained by folks on this distribution list that at least partially provide what you’re looking for. Gary toggle quoted message Show quoted text From: spdx@... <spdx@...> On Behalf Of daniel@... Sent: Thursday, March 16, 2023 7:40 AM To: spdx@... Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy [Edited Message Follows] So just to confirm with the community: There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers. The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well. Daniel
More All Messages By This Member

View All 8 Messages In Topic

#1640

Join {spdx@lists.spdx.org to automatically receive all group messages.

Home Hashtags Subgroups Terms