FOSSology+SPDX [Crossposting]

Matt Germonprez <germonprez@...>

Hi everyone, 

Not sure if you saw this thread over at FOSSology. I think it might be of interest to SPDX too. 



Hi All, Bob,


This is Kotrappa, from Wipro Technologies India.

We are using Fossology on a local sever for scanning some of packages for License/copyright info.

Recently we have installed Fossology+SPDX module on a local PC, and this gives spdx results as well. gives open source tools to convert .rdf to .spdx, .spdx to .rdf, .xls to.rdf etc.



We would like to know after Fossology+SPDX scans a package and gives results in sdpx format,

Is there any command line tools to execute on command prompt in Local PC using localhost server running Fossology agents to get results in spdx format.

( Please note I cannot use Web Interface version of because packages cannot be uploaded to public)


I mean, I should be able to get results something like mypackage_name.spdx or mypackage_name.rdf which complies with SPDX format

specified in, which I can use as an input to spdx open source tools for conversion, comparison etc.


Please help.


Best regards



Hi Kotrappa,

I’m confused why you mention that you cannot use since you have installed the spdx module on your own local machine.  You shouldn’t have to use the unomaha machine since you have it installed locally.

Since you have installed the FOSSology+SPDX module on your local PC, then you can create spdx files (tag files).  That option is the default but is specified in the “Output File Type” pull down on the SPDX Edit screen.  So though we call it a .tag file, I think that is the same as the .spdx file.

The command line (web api) doc is at:

However, this does not generate the full .spdx (tag) output.

If I have not understood your question completely, please ask again.  Liang Cao is the author of the SPDX module and he is on this list as well.

Bob Gobeille


Hi Kotrappa,

Liang Cao has added an option to generate a full SPDX document in TAG format from the command line. He has also provided a nice overview of how to work with the source. 

The source is pushed to here:

The documentation is here:

The option for [fullSPDXFlag] is added.
[fullSPDXFlag]: true/false. Only when this option is set to "true", low definition version of the full SPDX contents are output. Skipping this option equals setting it to "false." This option should be set to "true" when you want to generate an SPDX document from the command line.

You could generate a mypackagename.spdx by running a command like the following:
wget -qO - --no-check-certificate --post-file=./[mypackagename] --timeout=0 "https://domain/?mod=spdx_license_once&noCopyright=false&jsonOutput=false&fullSPDXFlag=true&packageNameInLog=[mypackagename]" > [mypackagename].spdx

for example:

If you have any questions, please feel free to contact me or Liang. We are happy to help. 

Matt Germonprez and Liang Cao

Mutual of Omaha Associate Professor of Information Systems
University of Nebraska at Omaha
Open Communities Lab

Join to automatically receive all group messages.