Hi Daniel,

 

I’m not sure I agree if you include commercial and open source tools.  If 
you’re generating the information primarily from package manifests, there are a 
few tools out there that generate SPDX documents across a wide variety of 
ecosystems.

 

Have you reviewed the tools referenced on spdx.dev/tools 
<https://spdx.dev/resources/tools/> ?  It includes a list of open source tools 
<https://spdx.dev/tools-community/>  and a list of commercial tools 
<https://spdx.dev/tools-commercial/> .

 

Is your question restricted to open source tools?  Also, to help understand 
what you’re looking for, can you let us know which tools that generate 
CycloneDX SBOM’s you’re referring to?

 

I’m a bit surprised that more tool maintainers didn’t reply earlier beyond what 
Anthony and I provided.  I didn’t want to speak for them, but I’m pretty sure 
there as some tools maintained by folks on this distribution list that at least 
partially provide what you’re looking for.

 

Gary

 

 

From: [email protected] <[email protected]> On Behalf Of 
[email protected]
Sent: Thursday, March 16, 2023 7:40 AM
To: [email protected]
Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy

 

[Edited Message Follows]

So just to confirm with the community:

There is no single generator that can generate SPDX SBOMs, with dependency 
hierarchies, across different ecosystems (Python, Go, etc.) and for both 
containers & filesystems? The open-sbom-generator seems to work for 
filesystems, but not for containers. 

The closest we've found are one or two tools that only generate CycloneDX 
SBOMs, but we're also looking to support SPDX as well. 

Daniel 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1640): https://lists.spdx.org/g/spdx/message/1640
Mute This Topic: https://lists.spdx.org/mt/97504626/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to