SPDX Generator with RefIDs and package hierarchy
I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package dependency hierarchy information, i.e. something that I could use to build a tree visualization of how the software dependencies are introduced into the main piece of software?
Thanks,
Daniel
Hi Daniel,
I take it by refID you’re referring to the SPDX ID for the packages.
There are a few tools out that that can build SBOM’s with the dependency maps. You can find information on some of the tools here: https://spdx.dev/resources/tools/ - but I’ll admit this page may not be completely up to date and doesn’t answer your question specifically.
I will point to one of the tools I maintain – the SPDX Maven Plugin. This provides a “documentDescribes” SPDX Package for the package being built by Maven and dependency information for all Packages referenced. By default, transitive dependencies are included in the SBOM – but there is an option to turn that off and only include the top level dependencies.
I believe the opensbom-generator also produces SBOM’s with the dependency information – but those on this email list maintaining this repo can correct me if I’m wrong.
Other’s – feel free to chime in with other tools.
Regards,
Gary
Sent: Thursday, March 9, 2023 10:39 AM
To: spdx@...
Subject: [spdx] SPDX Generator with RefIDs and package hierarchy
All,
I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package dependency hierarchy information, i.e. something that I could use to build a tree visualization of how the software dependencies are introduced into the main piece of software?
Thanks,
Daniel
All,
I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package dependency hierarchy information, i.e. something that I could use to build a tree visualization of how the software dependencies are introduced into the main piece of software?
Thanks,
Daniel
There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers.
The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well.
Daniel
REA has effectively used SPDX and CycloneDX SBOM formats to conduct software supply chain risk assessments since 2021. I suggest using the latest SPDX SBOM version, 2.3.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Richard Hughes
Sent: Thursday, March 16, 2023 11:57 AM
To: spdx@...
Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy
On Thu, 16 Mar 2023 at 14:40, <daniel@...> wrote:
but we're also looking to support SPDX as well.Is SPDX actually useful as an SBoM specification? I tried to add support into uSWID a few months ago and it was totally underspecified compared to SWID.
Richard.
Hi Daniel,
I’m not sure I agree if you include commercial and open source tools. If you’re generating the information primarily from package manifests, there are a few tools out there that generate SPDX documents across a wide variety of ecosystems.
Have you reviewed the tools referenced on spdx.dev/tools? It includes a list of open source tools and a list of commercial tools.
Is your question restricted to open source tools? Also, to help understand what you’re looking for, can you let us know which tools that generate CycloneDX SBOM’s you’re referring to?
I’m a bit surprised that more tool maintainers didn’t reply earlier beyond what Anthony and I provided. I didn’t want to speak for them, but I’m pretty sure there as some tools maintained by folks on this distribution list that at least partially provide what you’re looking for.
Gary
Sent: Thursday, March 16, 2023 7:40 AM
To: spdx@...
Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy
[Edited Message Follows]
So just to confirm with the community:
There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers.
The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well.
Daniel
I honestly thought the original question was about SPDX's format itself and not about tools used in certain situations.
From my side tern does a good
job in generating SPDX docs for containers. But I am not aware of
any open source tools that are "one solution".
nisha
Hi Daniel,
I’m not sure I agree if you include commercial and open source tools. If you’re generating the information primarily from package manifests, there are a few tools out there that generate SPDX documents across a wide variety of ecosystems.
Have you reviewed the tools referenced on spdx.dev/tools? It includes a list of open source tools and a list of commercial tools.
Is your question restricted to open source tools? Also, to help understand what you’re looking for, can you let us know which tools that generate CycloneDX SBOM’s you’re referring to?
I’m a bit surprised that more tool maintainers didn’t reply earlier beyond what Anthony and I provided. I didn’t want to speak for them, but I’m pretty sure there as some tools maintained by folks on this distribution list that at least partially provide what you’re looking for.
Gary
From: spdx@... <spdx@...> On Behalf Of daniel@...
Sent: Thursday, March 16, 2023 7:40 AM
To: spdx@...
Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy
[Edited Message Follows]
So just to confirm with the community:
There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers.
The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well.
Daniel