Hi Daniel,
I’m not sure I agree if you include commercial and open source tools. If you’re generating the information primarily from package manifests, there are a few tools out there that generate SPDX documents across a wide variety of ecosystems. Have you reviewed the tools referenced on spdx.dev/tools <https://spdx.dev/resources/tools/> ? It includes a list of open source tools <https://spdx.dev/tools-community/> and a list of commercial tools <https://spdx.dev/tools-commercial/> . Is your question restricted to open source tools? Also, to help understand what you’re looking for, can you let us know which tools that generate CycloneDX SBOM’s you’re referring to? I’m a bit surprised that more tool maintainers didn’t reply earlier beyond what Anthony and I provided. I didn’t want to speak for them, but I’m pretty sure there as some tools maintained by folks on this distribution list that at least partially provide what you’re looking for. Gary From: [email protected] <[email protected]> On Behalf Of [email protected] Sent: Thursday, March 16, 2023 7:40 AM To: [email protected] Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy [Edited Message Follows] So just to confirm with the community: There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers & filesystems? The open-sbom-generator seems to work for filesystems, but not for containers. The closest we've found are one or two tools that only generate CycloneDX SBOMs, but we're also looking to support SPDX as well. Daniel -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1640): https://lists.spdx.org/g/spdx/message/1640 Mute This Topic: https://lists.spdx.org/mt/97504626/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
