Re: SPDX Generator with RefIDs and package hierarchy

Nisha Kumar

I honestly thought the original question was about SPDX's format itself and not about tools used in certain situations.

From my side tern does a good job in generating SPDX docs for containers. But I am not aware of any open source tools that are "one solution".

On 3/16/23 11:18, Gary O'Neall wrote:

Hi Daniel,


I’m not sure I agree if you include commercial and open source tools.  If you’re generating the information primarily from package manifests, there are a few tools out there that generate SPDX documents across a wide variety of ecosystems.


Have you reviewed the tools referenced on  It includes a list of open source tools and a list of commercial tools.


Is your question restricted to open source tools?  Also, to help understand what you’re looking for, can you let us know which tools that generate CycloneDX SBOM’s you’re referring to?


I’m a bit surprised that more tool maintainers didn’t reply earlier beyond what Anthony and I provided.  I didn’t want to speak for them, but I’m pretty sure there as some tools maintained by folks on this distribution list that at least partially provide what you’re looking for.





From: spdx@... <spdx@...> On Behalf Of daniel@...
Sent: Thursday, March 16, 2023 7:40 AM
To: spdx@...
Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy


[Edited Message Follows]

So just to confirm with the community:

There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers. 

The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well. 


Join { to automatically receive all group messages.