|
Re: GitHub blogged they are creating SBOMs in SPDX format
Adolfo
I noticed this too! Yesterday I got in contact with GitHub security and I got the name of the person to talk to suggest improvements. I wrote to them and offered to help improve it myself if it has an open source backend or at least create some issues to suggest those improvements. On Thu, Mar 30, 2023 at 10:32 AM Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...> wrote:
|
||||
|
|
||||
|
Re: GitHub blogged they are creating SBOMs in SPDX format
Hi,
Try Export SBOM at: https://github.com/nexB/license-expression/network/dependencies
Best regards,
Marc-Etienne
From: William Bartholomew (CELA) <willbar@...>
Sent: Thursday, March 30, 2023 6:52 PM To: spdx@... Cc: Marc-Etienne Vargenau (Nokia) <marc-etienne.vargenau@...> Subject: Re: GitHub blogged they are creating SBOMs in SPDX format
We raised the first issue with them yesterday and they are working on it. Do you have more detail on the second?
Get Outlook for iOS From:
spdx@... <spdx@...> on behalf of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org <marc-etienne.vargenau=nokia.com@...>
Hi,
I did some quick tests. I always get invalid SPDX, mostly with “Empty license expression” and “No SPDX element found for SPDX ID” flagged by the validator.
Does anyone know where to file bugs?
Best regards,
Marc-Etienne
Looks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX! |
||||
|
|
||||
|
Re: GitHub blogged they are creating SBOMs in SPDX format
William Bartholomew (CELA)
We raised the first issue with them yesterday and they are working on it. Do you have more detail on the second?
From: spdx@... <spdx@...> on behalf of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org <marc-etienne.vargenau=nokia.com@...>
Sent: Thursday, March 30, 2023 9:32:24 AM To: spdx@... <spdx@...> Cc: Marc-Etienne Vargenau (Nokia) <marc-etienne.vargenau@...> Subject: [EXTERNAL] Re: [spdx] GitHub blogged they are creating SBOMs in SPDX format
Hi,
I did some quick tests. I always get invalid SPDX, mostly with “Empty license expression” and “No SPDX element found for SPDX ID” flagged by the validator.
Does anyone know where to file bugs?
Best regards,
Marc-Etienne
From: spdx@... <spdx@...>
On Behalf Of Manbeck, Jack via lists.spdx.org Looks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX! |
||||
|
|
||||
|
Re: GitHub blogged they are creating SBOMs in SPDX format
Hi,
I did some quick tests. I always get invalid SPDX, mostly with “Empty license expression” and “No SPDX element found for SPDX ID” flagged by the validator.
Does anyone know where to file bugs?
Best regards,
Marc-Etienne
From: spdx@... <spdx@...>
On Behalf Of Manbeck, Jack via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:01 PM To: SPDX-general <spdx@...> Subject: [spdx] GitHub blogged they are creating SBOMs in SPDX format Looks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX! |
||||
|
|
||||
|
Re: SPDXMerge Tool
#spdx
Joseph Silvia
This is awesome thank you Sandeep!
Joseph D. Silvia 1055 Thomas Jefferson St. NW, Suite 304 Washington, DC 20007 Office:732.906.6142 Mobile:781.526.5636 |
jsilvia@...
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
From: spdx@... <spdx@...> On Behalf Of
Gary O'Neall
Sent: Wednesday, March 29, 2023 3:29 PM To: spdx@... Subject: Re: [spdx] SPDXMerge Tool #spdx
Thanks Sandeep,
Excellent contribution to the community!
Gary
From: spdx@... <spdx@...>
On Behalf Of Rose Judge via
lists.spdx.org
Hi Sandeep,
Very cool! FYI, This is very similar to a tool Ivana and I recently developed and donated to the opensbom org: https://github.com/opensbom-generator/sbom-composer 😊
-Rose
From:
spdx@... <spdx@...> on behalf of Patil, Sandeep via
lists.spdx.org <sandeep.patil=philips.com@...>
Hi All, We are excited to announce that we have open sourced our SBoM Merge tool on GitHub. This tool allows you to merge multiple Software Bills of Materials (SBOMs) into a single SBOM file in SPDX format. It provides
shallow and deep merge options. This can help you gain a comprehensive view of the components and dependencies used in your software projects, as well as their licensing and security status. You can use this tool to merge SBOMs from different file formats,
such as SPDX, SWID Tagging. You can find the source code and documentation on our GitHub repository:
We welcome your feedback and contributions!
|
||||
|
|
||||
|
Re: SPDXMerge Tool
#spdx
Gary O'Neall
Thanks Sandeep,
Excellent contribution to the community!
Gary
From: spdx@... <spdx@...> On Behalf Of Rose Judge via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:32 AM To: spdx@... Subject: Re: [spdx] SPDXMerge Tool #spdx
Hi Sandeep,
Very cool! FYI, This is very similar to a tool Ivana and I recently developed and donated to the opensbom org: https://github.com/opensbom-generator/sbom-composer 😊
-Rose
From: spdx@... <spdx@...> on behalf of Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...>
Hi All, We are excited to announce that we have open sourced our SBoM Merge tool on GitHub. This tool allows you to merge multiple Software Bills of Materials (SBOMs) into a single SBOM file in SPDX format. It provides shallow and deep merge options. This can help you gain a comprehensive view of the components and dependencies used in your software projects, as well as their licensing and security status. You can use this tool to merge SBOMs from different file formats, such as SPDX, SWID Tagging. You can find the source code and documentation on our GitHub repository:
We welcome your feedback and contributions!
|
||||
|
|
||||
|
GitHub blogged they are creating SBOMs in SPDX format
Manbeck, Jack
Looks like GitHub has a self-service option to create SBOMs for a GitHub Project based on SPDX! See this blog from them.
Best Regards,
Jack Manbeck Outreach Chair
|
||||
|
|
||||
|
Re: SPDXMerge Tool
#spdx
Gary O'Neall
Thanks Sandeep,
Excellent contribution to the community!
Gary
From: spdx@... <spdx@...> On Behalf Of Rose Judge via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:32 AM To: spdx@... Subject: Re: [spdx] SPDXMerge Tool #spdx
Hi Sandeep,
Very cool! FYI, This is very similar to a tool Ivana and I recently developed and donated to the opensbom org: https://github.com/opensbom-generator/sbom-composer 😊
-Rose
From: spdx@... <spdx@...> on behalf of Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...>
Hi All, We are excited to announce that we have open sourced our SBoM Merge tool on GitHub. This tool allows you to merge multiple Software Bills of Materials (SBOMs) into a single SBOM file in SPDX format. It provides shallow and deep merge options. This can help you gain a comprehensive view of the components and dependencies used in your software projects, as well as their licensing and security status. You can use this tool to merge SBOMs from different file formats, such as SPDX, SWID Tagging. You can find the source code and documentation on our GitHub repository:
We welcome your feedback and contributions!
|
||||
|
|
||||
|
Re: SPDXMerge Tool
#spdx
Gary O'Neall
Thanks Sandeep,
Excellent contribution to the community!
Gary
From: spdx@... <spdx@...> On Behalf Of Rose Judge via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:32 AM To: spdx@... Subject: Re: [spdx] SPDXMerge Tool #spdx
Hi Sandeep,
Very cool! FYI, This is very similar to a tool Ivana and I recently developed and donated to the opensbom org: https://github.com/opensbom-generator/sbom-composer 😊
-Rose
From: spdx@... <spdx@...> on behalf of Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...>
Hi All, We are excited to announce that we have open sourced our SBoM Merge tool on GitHub. This tool allows you to merge multiple Software Bills of Materials (SBOMs) into a single SBOM file in SPDX format. It provides shallow and deep merge options. This can help you gain a comprehensive view of the components and dependencies used in your software projects, as well as their licensing and security status. You can use this tool to merge SBOMs from different file formats, such as SPDX, SWID Tagging. You can find the source code and documentation on our GitHub repository:
We welcome your feedback and contributions!
|
||||
|
|
||||
|
Re: SPDXMerge Tool
#spdx
Gary O'Neall
Thanks Sandeep,
Excellent contribution to the community!
Gary
From: spdx@... <spdx@...> On Behalf Of Rose Judge via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:32 AM To: spdx@... Subject: Re: [spdx] SPDXMerge Tool #spdx
Hi Sandeep,
Very cool! FYI, This is very similar to a tool Ivana and I recently developed and donated to the opensbom org: https://github.com/opensbom-generator/sbom-composer 😊
-Rose
From: spdx@... <spdx@...> on behalf of Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...>
Hi All, We are excited to announce that we have open sourced our SBoM Merge tool on GitHub. This tool allows you to merge multiple Software Bills of Materials (SBOMs) into a single SBOM file in SPDX format. It provides shallow and deep merge options. This can help you gain a comprehensive view of the components and dependencies used in your software projects, as well as their licensing and security status. You can use this tool to merge SBOMs from different file formats, such as SPDX, SWID Tagging. You can find the source code and documentation on our GitHub repository:
We welcome your feedback and contributions!
|
||||
|
|
||||
|
Re: SPDXMerge Tool
#spdx
Gary O'Neall
Thanks Sandeep,
Excellent contribution to the community!
Gary
From: spdx@... <spdx@...> On Behalf Of Rose Judge via lists.spdx.org
Sent: Wednesday, March 29, 2023 10:32 AM To: spdx@... Subject: Re: [spdx] SPDXMerge Tool #spdx
Hi Sandeep,
Very cool! FYI, This is very similar to a tool Ivana and I recently developed and donated to the opensbom org: https://github.com/opensbom-generator/sbom-composer 😊
-Rose
From: spdx@... <spdx@...> on behalf of Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...>
Hi All, We are excited to announce that we have open sourced our SBoM Merge tool on GitHub. This tool allows you to merge multiple Software Bills of Materials (SBOMs) into a single SBOM file in SPDX format. It provides shallow and deep merge options. This can help you gain a comprehensive view of the components and dependencies used in your software projects, as well as their licensing and security status. You can use this tool to merge SBOMs from different file formats, such as SPDX, SWID Tagging. You can find the source code and documentation on our GitHub repository:
We welcome your feedback and contributions!
|
||||
|
|
||||
|
Re: SPDXMerge Tool
#spdx
Rose Judge
Hi Sandeep,
Very cool! FYI, This is very similar to a tool Ivana and I recently developed and donated to the opensbom org: https://github.com/opensbom-generator/sbom-composer 😊
-Rose
From:
spdx@... <spdx@...> on behalf of Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...>
Hi All, We are excited to announce that we have open sourced our SBoM Merge tool on GitHub. This tool allows you to merge multiple Software Bills of Materials (SBOMs) into a single SBOM file in SPDX format. It provides
shallow and deep merge options. This can help you gain a comprehensive view of the components and dependencies used in your software projects, as well as their licensing and security status. You can use this tool to merge SBOMs from different file formats,
such as SPDX, SWID Tagging. You can find the source code and documentation on our GitHub repository:
We welcome your feedback and contributions!
|
||||
|
|
||||
|
Re: SPDXMerge Tool
#spdx
Kate Stewart
Very cool Sandeep! Thanks for sharing this! On Wed, Mar 29, 2023 at 11:33 AM Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...> wrote:
|
||||
|
|
||||
|
SPDXMerge Tool
#spdx
Patil, Sandeep
Hi All, We are excited to announce that we have open sourced our SBoM Merge tool on GitHub. This tool allows you to merge multiple Software Bills of Materials (SBOMs) into a single SBOM file in SPDX format. It provides shallow and deep merge options. This can help you gain a comprehensive view of the components and dependencies used in your software projects, as well as their licensing and security status. You can use this tool to merge SBOMs from different file formats, such as SPDX, SWID Tagging. You can find the source code and documentation on our GitHub repository:
We welcome your feedback and contributions! Regards Sandeep |
||||
|
|
||||
|
Re: SPDX in GSoC 2023!
akshatcoder@...
Hello all,
Akshat this side. It's great to see SPDX again in the GSoC 2023! I am looking to contribute to Specification Generator I have gone through the SPEC Parser repository. Kindly help me get started with contributing to it. |
||||
|
|
||||
|
Re: SPDX Generator with RefIDs and package hierarchy
Nisha Kumar
I honestly thought the original question was about SPDX's format itself and not about tools used in certain situations. From my side tern does a good
job in generating SPDX docs for containers. But I am not aware of
any open source tools that are "one solution". nisha On 3/16/23 11:18, Gary O'Neall wrote:
|
||||
|
|
||||
|
Re: SPDX Generator with RefIDs and package hierarchy
Gary O'Neall
Hi Daniel,
I’m not sure I agree if you include commercial and open source tools. If you’re generating the information primarily from package manifests, there are a few tools out there that generate SPDX documents across a wide variety of ecosystems.
Have you reviewed the tools referenced on spdx.dev/tools? It includes a list of open source tools and a list of commercial tools.
Is your question restricted to open source tools? Also, to help understand what you’re looking for, can you let us know which tools that generate CycloneDX SBOM’s you’re referring to?
I’m a bit surprised that more tool maintainers didn’t reply earlier beyond what Anthony and I provided. I didn’t want to speak for them, but I’m pretty sure there as some tools maintained by folks on this distribution list that at least partially provide what you’re looking for.
Gary
From: spdx@... <spdx@...> On Behalf Of daniel@...
Sent: Thursday, March 16, 2023 7:40 AM To: spdx@... Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy
[Edited Message Follows] So just to confirm with the community: |
||||
|
|
||||
|
Re: SPDX Generator with RefIDs and package hierarchy
Richard,
toggle quoted message
Show quoted text
REA has effectively used SPDX and CycloneDX SBOM formats to conduct software supply chain risk assessments since 2021. I suggest using the latest SPDX SBOM version, 2.3. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788 -----Original Message-----
From: spdx@... <spdx@...> On Behalf Of Richard Hughes Sent: Thursday, March 16, 2023 11:57 AM To: spdx@... Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy On Thu, 16 Mar 2023 at 14:40, <daniel@...> wrote: but we're also looking to support SPDX as well.Is SPDX actually useful as an SBoM specification? I tried to add support into uSWID a few months ago and it was totally underspecified compared to SWID. Richard. |
||||
|
|
||||
|
Re: SPDX Generator with RefIDs and package hierarchy
On Thu, 16 Mar 2023 at 14:40, <daniel@...> wrote:
but we're also looking to support SPDX as well.Is SPDX actually useful as an SBoM specification? I tried to add support into uSWID a few months ago and it was totally underspecified compared to SWID. Richard. |
||||
|
|
||||
|
Re: SPDX Generator with RefIDs and package hierarchy
So just to confirm with the community:
There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers. The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well. Daniel |
||||
|
|