Re: [spdx-ai] SPDX 3.0 tooling support - 10 and counting...

Tue, 07 Apr 2026 01:35:40 -0700 

Many years ago, we had set up the Landscape infrastructure for SPDX: 
https://github.com/spdx/sbom-landscape

But we have not entered data on tools (apart from some initial ones), nor did 
we  decide on categories or attributes that should be present.

-- zvr --
________________________________
From: [email protected] <[email protected]> on behalf of 
Martin, Robert A via lists.spdx.org <[email protected]>
Sent: Thursday, April 2, 2026 21:27
To: [email protected] Group <[email protected]>
Subject: FW: [EXT] Re: [spdx-ai] SPDX 3.0 tooling support - 10 and counting...

FYI - Bob

From: Andreas Fehlner <[email protected]>
Date: Thursday, April 2, 2026 at 1:42 PM
To: [email protected] <[email protected]>, [email protected] 
<[email protected]>, Stewart, Kate <[email protected]>
Cc: Robert A Martin <[email protected]>, [email protected] 
<[email protected]>
Subject: [EXT] Re: [spdx-ai] SPDX 3.0 tooling support - 10 and counting...

This Message Is From an Untrusted Sender
You have not previously corresponded with this sender. Treat with caution. If 
you feel this is suspicious, please report it via "Report Suspicious Email" 
button in Outlook.


Hi Karen,

thanks for bringing this up. A blog post like the RGAF one sounds useful, and 
it might be worth thinking about a more interactive format too.

The CNCF Landscape 
(https://landscape.cncf.io/<https://urldefense.us/v2/url?u=https-3A__landscape.cncf.io_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=qC_QP26KlaxT0olKO3JFN6thfCvwhCPJhFbkGLNTNM0&e=>)
 does something similar for the cloud native ecosystem. It organizes tools and 
projects into categories with a visual overview, and the whole thing is open 
source 
(https://github.com/cncf/landscape2<https://urldefense.us/v2/url?u=https-3A__github.com_cncf_landscape2&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=sDikmsv9sgaDKy0IJuAT95fdFz1YElWtaO_AT4lskvY&e=>).
 It's become a go-to reference for people trying to find the right tool for 
their use case.

I'm planning to set up a similar landscape for ONNX to help the community 
navigate the ecosystem. If the SPDX community sees value in this kind of 
format, I'd be happy to contribute to an SPDX or SPDX-AI landscape as well.

Best,
Andreas

Am 02.04.2026 um 17:48 schrieb Karen Bennet via lists.spdx.org:
Thank you everyone.   I also see  that there are 12 SPDX tools for 3.0;1 (5 
still in development') have been published) ) plus the ones that you passed 
along

Gopi/Elyas, we might want to add your tool to the SPDX Tools  in  progress  
list (and then when it's published, it can be updated).

Another suggestion,  For LF-A Working , Art with feedback from many of us; 
created a blog post of their tools' table  for the Responsible AI Framework.   
Here's a draft of the blog post coming out soon: RGAF Dimensions and Tools 
Table  
<https://urldefense.us/v2/url?u=https-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Fdocs.google.com-5Fdocument-5Fd-5F1Wli-2D2D4oaQ18ziRrD-2D2D0jrULPnUtm4CX96awHgjD885fV8-5Fedit-2D3Fusp-2D3Ddrive-2D5Flink-26d-3DDwMFaQ-26c-3DBSDicqBQBDjDI9RkVyTcHQ-26r-3D-5F0ZSt0OL3HrY9OtmThbMaxYe5AKyNxk0500MbC5OFEQ-26m-3DN4sbZdwu7lCWV9EfkUEfmqRQoDk41lDqZFIlE1zNNSgbsu7gJ-5F2r99l40Q4ANhMx-26s-3DPLLsEciPIBVQi-5F37jHsJOIenO7VPIjTpKd3iTfnFq9o-26e-3D&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=-AXOcuKVJ7SLtwv9WZP1kQsNC6sS1hQMIjLrc5JirTU&e=>
 RGAF Dimensions and 
Tools<https://urldefense.us/v2/url?u=https-3A__docs.google.com_document_d_1Wli-2D4oaQ18ziRrD-2D0jrULPnUtm4CX96awHgjD885fV8_edit-3Fusp-3Ddrive-5Flink&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=Q6quU5jTBrYZTTi62zcNkxMo6EGeH4wuegwEKMa_ZuA&e=>.
  We might want to do something similar for SPDX.  What do you think, 
ARt/Victor? Useful to share in this format?





On Wednesday, April 1, 2026 at 08:06:28 p.m. EDT, Kate Stewart 
<[email protected]><mailto:[email protected]> wrote:


And then there's Basil:  
https://github.com/elisa-tech/BASIL/releases/tag/v1.8.9<https://urldefense.us/v2/url?u=https-3A__github.com_elisa-2Dtech_BASIL_releases_tag_v1.8.9&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=BKnJC-1swAyWRzVCi-C4Go0-miSNXbkQe_Pq6NK-yXE&e=>.
  which supports SPDX 3.0.1 as well.   :-)

On Wed, Apr 1, 2026 at 5:59 PM Kate Stewart via 
lists.spdx.org<https://urldefense.us/v2/url?u=http-3A__lists.spdx.org&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=Ar9AvimqZKb6mVvxe000GuT0Gkn3ZI6eFNdFV3d2fxI&e=>
 
<[email protected]<mailto:[email protected]>>
 wrote:
And here's another tool that can consume SPDX 3.0 to check for CVE's
https://github.com/bootlin/sbom-cve-check<https://urldefense.us/v2/url?u=https-3A__github.com_bootlin_sbom-2Dcve-2Dcheck&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=dnHu1_70w-6f7vLuQEQkti0sgiLctS5FXdccn1jKRGY&e=>

Yocto is using it in their flow, and we're considering it for other projects as 
well.

Kate


On Wed, Apr 1, 2026 at 3:21 PM Martin, Robert A 
<[email protected]<mailto:[email protected]>> wrote:

Hi Karen,

Regarding your question about who is implementing SPDX 3.0 from today's 
AI/Dataset Profile meeting.

The tools that are supporting 3.0 can be found at the bottom of this page - 
https://spdx.dev/use/spdx-tools/<https://urldefense.us/v2/url?u=https-3A__spdx.dev_use_spdx-2Dtools_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=Q7syNkRnHI2HZVhmzhb9tD8N6C_U98JEK9dA9ZHK40c&e=>

Select "Version Support" of "3.0 Complete" and you'll get 7 tools - see below.

If you select "3.0 In Process" you'll get another 5 tools although I think some 
of them have finished and now support it as well.

Additionally:

  *   the Linux Kernel team tooling produces SPDX 3.0 
<https://lwn.net/Articles/1055009/><https://urldefense.us/v2/url?u=https-3A__lwn.net_Articles_1055009_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=yP__bvnqMphFzMwTyN8TYWc9YzBHw8hRXlh6WuubRqs&e=>
  *   the Yocto Project's Bitbake tooling produces SPDX 3.0 
<https://patchwork.yoctoproject.org/project/oe-core/patch/[email protected]/><https://urldefense.us/v2/url?u=https-3A__patchwork.yoctoproject.org_project_oe-2Dcore_patch_20240703140059.4096394-2D4-2DJPEWhacker-40gmail.com_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=0uE7zmkBj8cFXtz-OiWmyFcMqt90vMrBWh39oB9nYEY&e=>
  *   Microsoft's Open Source "SBOM Tool" produces SPDX 3.0 
<https://github.com/microsoft/sbom-tool><https://urldefense.us/v2/url?u=https-3A__github.com_microsoft_sbom-2Dtool&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=bzFcYOMBxFolhsYx_hgmS3hOkoLHoJdNMLfaQ-dPv-c&e=>

Bob


[BASIL – The FuSa Spice]

BASIL – The FuSa Spice

BASIL is a tool designed to support companies working on safety-critical 
applications, where establishing traceability between software requirements, 
test specifications, test cases, software design, source code, and test results 
is mandatory.
It also supports exporting a Software Bill of Materials (SBOM) in the SPDX 
format.

Contact

https://elisa.tech/<https://urldefense.us/v2/url?u=https-3A__elisa.tech_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=cd8HVc4kiA42EjdhdCqA6eA4r-3myeahLdX5r9fTIqw&e=>

SPDX verification

The SBOM is generated using the official spdx python module.

How to procure

BASIL is open source and maintained by ELISA, a Linux Foundation project. It is 
available at 
https://github.com/elisa-tech/BASIL<https://urldefense.us/v2/url?u=https-3A__github.com_elisa-2Dtech_BASIL&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=QS1-6D4zM36XrukcXPOxwSYBY-HQtGwh4TH1XI0jzrg&e=>.

Installation instructions

BASIL comes with an helper scripts that simplify the deployment of the 
application using podman containers.
More information on how to setup the application are available at 
https://basil-the-fusa-spice.readthedocs.io/en/latest/how_to_run_it.html<https://urldefense.us/v2/url?u=https-3A__basil-2Dthe-2Dfusa-2Dspice.readthedocs.io_en_latest_how-5Fto-5Frun-5Fit.html&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=ciabmhZ1OqrLLSpDbQ57Snm0KWOSwpf-xztIJpOtyv4&e=>

Link to quick start guide

https://basil-the-fusa-spice.readthedocs.io/en/latest/<https://urldefense.us/v2/url?u=https-3A__basil-2Dthe-2Dfusa-2Dspice.readthedocs.io_en_latest_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=Qcu3rOwMpMDXkIYxqTQi9wvZDobFnl6yC5-R5wJ5jqU&e=>

Classification

Produce/Build

Version Support

3.0 Complete

Website

https://elisa.tech/<https://urldefense.us/v2/url?u=https-3A__elisa.tech_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=cd8HVc4kiA42EjdhdCqA6eA4r-3myeahLdX5r9fTIqw&e=>

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[Black Duck SCA]

Black Duck SCA

Black Duck® software composition analysis (SCA) helps teams manage the 
security, quality, and license compliance risks that come from using open 
source and third-party code in applications. Manage software supply chain risks 
and make software bills of materials (SBOMs) part of the entire app lifecycle. 
Import SBOMs, automatically map dependencies, and document new components from 
custom or commercial dependencies. Export SPDX reports with standard or custom 
fields, automate SBOM generation, and monitor SBOM dependencies for emergent 
risks.

Contact

[email protected]<mailto:[email protected]>

SPDX verification

Black Duck uses the 
https://github.com/spdx/Spdx-Java-Library<https://urldefense.us/v2/url?u=https-3A__github.com_spdx_Spdx-2DJava-2DLibrary&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=SF63vLk9VXFrEfNbN2gQj9TbOFIlFVRFUV2nIGKV-tM&e=>
 to generate SPDX compliant SBOMs. The 
https://github.com/spdx/Spdx-Java-Library<https://urldefense.us/v2/url?u=https-3A__github.com_spdx_Spdx-2DJava-2DLibrary&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=SF63vLk9VXFrEfNbN2gQj9TbOFIlFVRFUV2nIGKV-tM&e=>
 is used to validate that SBOMs imported into Black Duck meet the SPDX 
specifications. Logs and references to specific lines causing the verification 
to fail are available if the SBOM being imported does not pass verification.

How to procure

Visit 
https://www.blackduck.com/software-composition-analysis-tools/black-duck-sca.html<https://urldefense.us/v2/url?u=https-3A__www.blackduck.com_software-2Dcomposition-2Danalysis-2Dtools_black-2Dduck-2Dsca.html&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=lPGRFwzZXcLPKZoTh5UZoe9PhPKbg6ChnITBGGRM7fk&e=>
 for more information. Contact us to schedule a demo or with questions at 
https://www.blackduck.com/contact-sales.html<https://urldefense.us/v2/url?u=https-3A__www.blackduck.com_contact-2Dsales.html&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=WunVs68Lw7d8r9ULbHwzc1A855KEG_7QBMa3YCrPBwk&e=>

Installation instructions

Black Duck SCA may be run on-premises or as a hosted solution. Complete 
installation and use documentation may be found within the Black Duck SCA 
documentation. 
https://documentation.blackduck.com/bundle/bd-hub/page/Welcome.html<https://urldefense.us/v2/url?u=https-3A__documentation.blackduck.com_bundle_bd-2Dhub_page_Welcome.html&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=HERzjG0bGf8feP5KNWiXu7O_NZ9YWWQQtT-ig8X-cKU&e=>

Link to quick start guide

https://documentation.blackduck.com/bundle/bd-hub/page/Welcome.html<https://urldefense.us/v2/url?u=https-3A__documentation.blackduck.com_bundle_bd-2Dhub_page_Welcome.html&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=HERzjG0bGf8feP5KNWiXu7O_NZ9YWWQQtT-ig8X-cKU&e=>

Classification

Consume/Diff, Consume/Import, Produce/Analyze, Produce/Build, Produce/Edit, 
Transform/Merge, Transform/Translate

Version Support

2.2, 2.3, 3.0 Complete

Website
https://www.blackduck.com/software-composition-analysis-tools/black-duck-sca.html<https://urldefense.us/v2/url?u=https-3A__www.blackduck.com_software-2Dcomposition-2Danalysis-2Dtools_black-2Dduck-2Dsca.html&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=lPGRFwzZXcLPKZoTh5UZoe9PhPKbg6ChnITBGGRM7fk&e=>

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[clj-spdx]

clj-spdx

A Clojure wrapper around 
Spdx-Java-Library<https://urldefense.us/v2/url?u=https-3A__github.com_spdx_Spdx-2DJava-2DLibrary&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=SF63vLk9VXFrEfNbN2gQj9TbOFIlFVRFUV2nIGKV-tM&e=>,
 plus some bespoke functionality (e.g. a canonicalising SPDX 
expression<https://urldefense.us/v2/url?u=https-3A__spdx.github.io_spdx-2Dspec_v3.0.1_annexes_spdx-2Dlicense-2Dexpressions_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=UiKJyGE228oVX7FPD25Dks9_nHV2Mv8JUAUCmnp1_aU&e=>
 parser, regular expressions for matching individual SPDX listed identifiers 
and refs, etc.). This library provides idiomatic access to some of the SPDX 
functionality offered by the Spdx-Java-Library to Clojure developers.

Contact:

  *   [email protected]<mailto:[email protected]>

SPDX verification

  *   This library uses 
Spdx-Java-Library<https://urldefense.us/v2/url?u=https-3A__github.com_spdx_Spdx-2DJava-2DLibrary&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=SF63vLk9VXFrEfNbN2gQj9TbOFIlFVRFUV2nIGKV-tM&e=>
 v2.0.0, so it has (by extension) the same verification status as that library.

How to Procure

  *   The library is published to 
Clojars<https://urldefense.us/v2/url?u=https-3A__www.clojars.org_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=SvKvXyQ-H-gAHMc7CaZapCx9Q5m1u41K6qW5eL4SS-Q&e=>,
 the primary community Maven artifact repository for Clojure libraries. Any 
Maven-capable JVM-hosted language can consume the library from Clojars, though 
the library itself is only readily usable from other Clojure code (other 
JVM-hosted languages will need to manually initialise the Clojure runtime the 
library depends on).

Installation Instructions

  *   At the time of writing, the latest version of the library has a purl of 
pkg:maven/com.github.pmonks/[email protected]?repository_url=repo.clojars.org<mailto:pkg:maven/com.github.pmonks/[email protected]?repository_url=repo.clojars.org>,
 which is equivalent to a Maven coordinate of 
com.github.pmonks/[email protected]<mailto:com.github.pmonks/[email protected]>.

How this coordinate gets translated into a specific JVM build tool’s 
configuration varies – the Clojars page for the project has tool-specific 
instructions<https://urldefense.us/v2/url?u=https-3A__www.clojars.org_com.github.pmonks_clj-2Dspdx&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=vat364LC4A3wpuafx7llGr-fmHopkQreP41YIuIJ9qk&e=>.

Quick Start Guide

  *   
https://github.com/pmonks/clj-spdx?tab=readme-ov-file#trying-it-out<https://urldefense.us/v2/url?u=https-3A__github.com_pmonks_clj-2Dspdx-3Ftab-3Dreadme-2Dov-2Dfile-23trying-2Dit-2Dout&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=6q3ZeP5scbbf1psRTxkmT4qC1EdZnEemUkWAXDWluE4&e=>

Classification

Transform/Tool Support

Version Support

3.0 Complete

Website
https://github.com/pmonks/clj-spdx<https://urldefense.us/v2/url?u=https-3A__github.com_pmonks_clj-2Dspdx&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=w-_WZVpe29s4lla0WHWteEadCFikzlA2WLhOckJ6q2c&e=>

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[FOSSology]

FOSSology

FOSSology is an open source license compliance software system and toolkit 
allowing users to run license, copyright and export control scans from a REST 
API.

As a system, a database and web UI are provided to provide a compliance 
workflow.

As part of the toolkit multiple license scanners, copyright and export scanners 
are tools available to help with compliance activities.

SPDX verification

  *   NA

How to Procure

  *   
https://github.com/fossology<https://urldefense.us/v2/url?u=https-3A__github.com_fossology&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=vjenz80lTFuL-IW4seXOH0_nfRywKqcDzDMUR7Rtcds&e=>

Installation Instructions

  *   
https://www.fossology.org/get-started/<https://urldefense.us/v2/url?u=https-3A__www.fossology.org_get-2Dstarted_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=B0mhO1zLkMkND7DKmIkXldMtmXkHGbnRSt_3XnMEGPs&e=>

Quick Start Guide

  *   
https://www.fossology.org/get-started/basic-workflow/<https://urldefense.us/v2/url?u=https-3A__www.fossology.org_get-2Dstarted_basic-2Dworkflow_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=n973TBSIObyuU4O8BISGzeeU6GukZqUcEMulbGOhNDQ&e=>

Classification

Consume/Diff, Consume/View, Produce/Analyze, Transform/Merge, Transform/Tool 
Support, Transform/Translate

Version Support

2.1, 2.2, 3.0 Complete

Website
https://www.fossology.org/<https://urldefense.us/v2/url?u=https-3A__www.fossology.org_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=NfLirqZq6lenMDb-bs3YjUgocv6sUf60Nfc7wPD2Fic&e=>

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[lice-comb]
lice-comb

A Clojure library for software license detection in the Clojure (Maven) 
ecosystem. It does this by combing through tools.deps and Leiningen 
dependencies (i.e. artifacts hosted on Maven repositories), directory 
structures, and JAR & ZIP files, attempting to detect what license(s) they 
reference and/or contain, and then normalising them into SPDX license 
expressions<https://urldefense.us/v2/url?u=https-3A__spdx.github.io_spdx-2Dspec_v3.0.1_annexes_spdx-2Dlicense-2Dexpressions_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=UiKJyGE228oVX7FPD25Dks9_nHV2Mv8JUAUCmnp1_aU&e=>.

While the tool also performs “table stakes” license detection (SPDX license 
expression parsing, SPDX license text matching, etc.), the primary focus (and 
the bulk of the logic) instead focuses on the inherently difficult problem of 
canonicalising license names that appear in Maven project metadata. Because of 
historical limitations in the Maven Project Object Model (which pre-dates 
SPDX), Maven license name metadata is notoriously varied and low quality, and 
most existing SPDX tools in this space are general purpose (not Maven specific) 
and don’t handle this low quality data particularly well. Some tools rely on 
central repositories of community-curated license information for the Maven 
ecosystem (such as ClearlyDefined), but those systems have limitations in the 
Maven ecosystem too – for example ClearlyDefined does not yet support 
Clojars<https://urldefense.us/v2/url?u=https-3A__github.com_clearlydefined_service_issues_1316&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=-jW35P7geKVTbnwo2AOL6RW482mV8KooN-DuDkTxP2I&e=>,
 despite it housing the vast majority of open source Clojure projects (~30,000 
distinct projects, at last count).

Contact

[email protected]<mailto:[email protected]>

SPDX verification

This library indirectly (via 
clj-spdx<https://urldefense.us/v2/url?u=https-3A__github.com_pmonks_clj-2Dspdx&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=w-_WZVpe29s4lla0WHWteEadCFikzlA2WLhOckJ6q2c&e=>)
 uses 
Spdx-Java-Library<https://urldefense.us/v2/url?u=https-3A__github.com_spdx_Spdx-2DJava-2DLibrary&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=SF63vLk9VXFrEfNbN2gQj9TbOFIlFVRFUV2nIGKV-tM&e=>
 v2.0.0, so it has (by extension) the same verification status as that library.

How to procure

The library is published to 
Clojars<https://urldefense.us/v2/url?u=https-3A__www.clojars.org_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=SvKvXyQ-H-gAHMc7CaZapCx9Q5m1u41K6qW5eL4SS-Q&e=>,
 the primary community Maven artifact repository for Clojure libraries. Any 
Maven-capable JVM-hosted language can consume the library from Clojars, though 
the library itself is only readily usable from other Clojure code (other 
JVM-hosted languages will need to manually initialise the Clojure runtime the 
library depends on).

Installation instructions

At the time of writing, the latest version of the library has a purl of 
pkg:maven/com.github.pmonks/[email protected]?repository_url=repo.clojars.org<mailto:pkg:maven/com.github.pmonks/[email protected]?repository_url=repo.clojars.org>,
 which is equivalent to a Maven coordinate of 
com.github.pmonks/[email protected]<mailto:com.github.pmonks/[email protected]>.

How this coordinate gets translated into a specific JVM build tool’s 
configuration varies – the Clojars page for the project has tool-specific 
instructions<https://urldefense.us/v2/url?u=https-3A__www.clojars.org_com.github.pmonks_lice-2Dcomb&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=EiDVALUYJr2edawxn9htw2WB9h4v6jFS2MtoH1D9Iro&e=>.

Link to quick start guide

https://github.com/pmonks/lice-comb?tab=readme-ov-file#trying-it-out<https://urldefense.us/v2/url?u=https-3A__github.com_pmonks_lice-2Dcomb-3Ftab-3Dreadme-2Dov-2Dfile-23trying-2Dit-2Dout&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=J3ejx3jpLnC89_LvfeutBXTyRHg7Fd5A-BueFnxuvFw&e=>

Classification

Produce/Analyze, Transform/Tool Support

Version Support

3.0 Complete

Website
https://github.com/pmonks/lice-comb<https://urldefense.us/v2/url?u=https-3A__github.com_pmonks_lice-2Dcomb&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=vH-4i4svX201j7_EFEKz8SDWnBnVHCa5kW7TyaFxtL4&e=>

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[SysAuditor Suite]

SysAuditor Suite

The SysAuditor is an operational set of tools designed to capture and utilize 
metadata related to systems, processes, and operations to build a comprehensive 
picture of IT organizations, applications, and systems environments.
SysAuditor Suite uses the SPDX 3.1 structure to capture and store metadata to 
create an inventory, such as hardware, software, relationships, and licenses on 
a device. This data can then be analysed for issues such as vulnerabilities and 
system weaknesses. The visualization tool provides a quick and easy way to 
review all the components, relationships while supporting enhancements and 
changes. SysAuditor combines multiple inventories into a collection to help 
define systems and auditing operations.

Contact

[email protected]<mailto:[email protected]>

SPDX verification

Smart Talk Beacon Solutions Ltd. is a contributor to SPDX 3.1 as the lead for 
the development of hardware and the supply chain. We have developed a 
comprehensive knowledge of the design, implementation, and strategic direction 
of SPDX. As a member of the Tech Team working group, we engage with teams to 
help ensure SPDX remains a leading standard.
SysAuditor generates valid SPDX code based on Shacl2code.

How to procure

To procure SysAuditor, you need to contact 
[email protected]<mailto:[email protected]> .
We will help you define your needs and recommend tools and implementation.

Installation instructions

SysAuditor Suite is designed for operation on Linux-based environments. 
Installation is site-dependent based on need.

Quick Start

www.sysauditor.com<https://urldefense.us/v2/url?u=http-3A__www.sysauditor.com_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=XaaxUpO2y7J4-C0bMoX40ouV2QxG4YgYeuuooTNv8hQ&e=>

Classification

Consume/View, Produce/Analyze, Produce/Build, Produce/Edit, Transform/Merge

Version Support

3.0 Complete

Website
www.smarttalkbeacon.com<https://urldefense.us/v2/url?u=https-3A__spdx.dev_use_spdx-2Dtools_www.smarttalkbeacon.com&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=r08rDQnkw0qlCs6jHTr7sQFBHFBTzk5uYXNC9wrt6Ew&e=>

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[Threatrix]

Threatrix

Snippet level copy/paste & AI Code detection with 99.9% accuracy create 
dynamic, hyper-accurate SBOMs

Contact Email or URL

[email protected]<mailto:[email protected]>

SPDX verification

Automated testing against specification for each version

How to procure

Free 
trial<https://urldefense.us/v2/url?u=https-3A__app.threatrix.io_create-2Daccount&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=k1xBw0a5jF0EbWswuXIAhVUzRzqQ3y60XWtoKrunAUY&e=>.
 Subscriptions with credit card or purchase order.

Installation instructions

installation not required for trial. CLI deploys in build server

Link to quick start guide

https://docs.threatrix.io/<https://urldefense.us/v2/url?u=https-3A__docs.threatrix.io_&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=VpRo2TytUv9BC6auzrodeHM1E-s-jpS4q3iJ26LrkTs&e=>

Classification

Consume/Diff, Consume/Import, Consume/View, Produce/Analyze, Produce/Build, 
Produce/Edit, Transform/Tool Support, Transform/Translate

Version Support

2.2, 2.3, 3.0 Complete

Website
https://threatrix.io<https://urldefense.us/v2/url?u=https-3A__threatrix.io&d=DwMDaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=yyf_tMRBY80wjAUP82gpfmv0fTJk5mALsolNn8pXnYc&m=1QOJ30EOeD-yytJ6oUfrulT3MDl8tLs6iuhiIwVM-aexTfaJTmnqljbmmz6TZ4Rk&s=3Z5MPONFelPBnVjDwMdh4CHczvcnSKKx6y49dc3v3TA&e=>

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--
Robert (Bob) Martin
Sr. Software and Supply Chain Assurance Principal Eng.
Cross Cutting Solutions and Innovation Dept
Cyber Solutions Innovation Center
MITRE Labs
MITRE Corporation
781-271-3001o
781-424-4095c


Intel Deutschland GmbH
Registered Address: Dornacher Strasse 1, 85622 Feldkirchen, Germany
Tel: +49 89 991 430, www.intel.de
Managing Directors: Harry Demas, Jeffrey Schneiderman, Yin Chong Sorrell
Chairperson of the Supervisory Board: Nicole Lau
Registered Seat: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1454): https://lists.spdx.org/g/Spdx-outreach/message/1454
Mute This Topic: https://lists.spdx.org/mt/118704786/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-outreach/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to