spdx@lists.spdx.org | SPDX Generator with RefIDs and package hierarchy

Home Messages Hashtags Subgroups

Date Date 1 - 8 of 8

SPDX Generator with RefIDs and package hierarchy

daniel@... #1634 All, I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package dependency hierarchy information, i.e. something that I could use to build a tree visualization of how the software dependencies are introduced into the main piece of software? Thanks, Daniel
More All Messages By This Member
Gary O'Neall #1635 Hi Daniel, I take it by refID you’re referring to the SPDX ID for the packages. There are a few tools out that that can build SBOM’s with the dependency maps. You can find information on some of the tools here: https://spdx.dev/resources/tools/ - but I’ll admit this page may not be completely up to date and doesn’t answer your question specifically. I will point to one of the tools I maintain – the SPDX Maven Plugin. This provides a “documentDescribes” SPDX Package for the package being built by Maven and dependency information for all Packages referenced. By default, transitive dependencies are included in the SBOM – but there is an option to turn that off and only include the top level dependencies. I believe the opensbom-generator also produces SBOM’s with the dependency information – but those on this email list maintaining this repo can correct me if I’m wrong. Other’s – feel free to chime in with other tools. Regards, Gary toggle quoted message Show quoted text From: spdx@... <spdx@...> On Behalf Of daniel@... Sent: Thursday, March 9, 2023 10:39 AM To: spdx@... Subject: [spdx] SPDX Generator with RefIDs and package hierarchy All, I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package dependency hierarchy information, i.e. something that I could use to build a tree visualization of how the software dependencies are introduced into the main piece of software? Thanks, Daniel
More All Messages By This Member
Anthony Harrison #1636 Daniel Have a look at SBOM4Python which generates an SBOM for an installed python module including all of its dependencies (direct or indirect). And look at SBOM2dot which generates a DOT file for producing a graph of the dependencies. Both applications are available on PyPi. Regards Anthony toggle quoted message Show quoted text On Thu, 9 Mar 2023, 19:51 , <daniel@...> wrote: All, I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package dependency hierarchy information, i.e. something that I could use to build a tree visualization of how the software dependencies are introduced into the main piece of software? Thanks, Daniel
More All Messages By This Member
daniel@... #1637 Edited So just to confirm with the community: There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers. The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well. Daniel
More All Messages By This Member
Richard Hughes #1638 On Thu, 16 Mar 2023 at 14:40, <daniel@...> wrote: but we're also looking to support SPDX as well. Is SPDX actually useful as an SBoM specification? I tried to add support into uSWID a few months ago and it was totally underspecified compared to SWID. Richard.
More All Messages By This Member
Dick Brooks #1639 Richard, REA has effectively used SPDX and CycloneDX SBOM formats to conduct software supply chain risk assessments since 2021. I suggest using the latest SPDX SBOM version, 2.3. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788 toggle quoted message Show quoted text -----Original Message----- From: spdx@... <spdx@...> On Behalf Of Richard Hughes Sent: Thursday, March 16, 2023 11:57 AM To: spdx@... Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy On Thu, 16 Mar 2023 at 14:40, <daniel@...> wrote: but we're also looking to support SPDX as well. Is SPDX actually useful as an SBoM specification? I tried to add support into uSWID a few months ago and it was totally underspecified compared to SWID. Richard.
More All Messages By This Member
Gary O'Neall #1640 Hi Daniel, I’m not sure I agree if you include commercial and open source tools. If you’re generating the information primarily from package manifests, there are a few tools out there that generate SPDX documents across a wide variety of ecosystems. Have you reviewed the tools referenced on spdx.dev/tools? It includes a list of open source tools and a list of commercial tools. Is your question restricted to open source tools? Also, to help understand what you’re looking for, can you let us know which tools that generate CycloneDX SBOM’s you’re referring to? I’m a bit surprised that more tool maintainers didn’t reply earlier beyond what Anthony and I provided. I didn’t want to speak for them, but I’m pretty sure there as some tools maintained by folks on this distribution list that at least partially provide what you’re looking for. Gary toggle quoted message Show quoted text From: spdx@... <spdx@...> On Behalf Of daniel@... Sent: Thursday, March 16, 2023 7:40 AM To: spdx@... Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy [Edited Message Follows] So just to confirm with the community: There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers. The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well. Daniel
More All Messages By This Member
Nisha Kumar #1641 I honestly thought the original question was about SPDX's format itself and not about tools used in certain situations. From my side tern does a good job in generating SPDX docs for containers. But I am not aware of any open source tools that are "one solution". nisha On 3/16/23 11:18, Gary O'Neall wrote: toggle quoted message Show quoted text Hi Daniel, I’m not sure I agree if you include commercial and open source tools. If you’re generating the information primarily from package manifests, there are a few tools out there that generate SPDX documents across a wide variety of ecosystems. Have you reviewed the tools referenced on spdx.dev/tools? It includes a list of open source tools and a list of commercial tools. Is your question restricted to open source tools? Also, to help understand what you’re looking for, can you let us know which tools that generate CycloneDX SBOM’s you’re referring to? I’m a bit surprised that more tool maintainers didn’t reply earlier beyond what Anthony and I provided. I didn’t want to speak for them, but I’m pretty sure there as some tools maintained by folks on this distribution list that at least partially provide what you’re looking for. Gary From: spdx@... <spdx@...> On Behalf Of daniel@... Sent: Thursday, March 16, 2023 7:40 AM To: spdx@... Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy [Edited Message Follows] So just to confirm with the community: There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers. The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well. Daniel
More All Messages By This Member

1 - 8 of 8

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms