Hi Daniel,
I take it by refID you’re referring to the SPDX ID for the packages. There are a few tools out that that can build SBOM’s with the dependency maps. You can find information on some of the tools here: https://spdx.dev/resources/tools/ - but I’ll admit this page may not be completely up to date and doesn’t answer your question specifically. I will point to one of the tools I maintain – the SPDX Maven Plugin <https://github.com/spdx/spdx-maven-plugin> . This provides a “documentDescribes” SPDX Package for the package being built by Maven and dependency information for all Packages referenced. By default, transitive dependencies are included in the SBOM – but there is an option to turn that off and only include the top level dependencies. I believe the opensbom-generator <https://github.com/opensbom-generator/spdx-sbom-generator> also produces SBOM’s with the dependency information – but those on this email list maintaining this repo can correct me if I’m wrong. Other’s – feel free to chime in with other tools. Regards, Gary From: [email protected] <[email protected]> On Behalf Of [email protected] Sent: Thursday, March 9, 2023 10:39 AM To: [email protected] Subject: [spdx] SPDX Generator with RefIDs and package hierarchy All, I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package dependency hierarchy information, i.e. something that I could use to build a tree visualization of how the software dependencies are introduced into the main piece of software? Thanks, Daniel -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1635): https://lists.spdx.org/g/spdx/message/1635 Mute This Topic: https://lists.spdx.org/mt/97504626/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
