Re: [spdx] SPDX Generator with RefIDs and package hierarchy

Fri, 17 Mar 2023 10:38:20 -0700

I honestly thought the original question was about SPDX's format itself and not about tools used in certain situations.
From my side tern <https://github.com/tern-tools/tern> does a good job in generating SPDX docs for containers. But I am not aware of any open source tools that are "one solution". 

nisha

On 3/16/23 11:18, Gary O'Neall wrote:


Hi Daniel,


I’m not sure I agree if you include commercial and open source tools.  
If you’re generating the information primarily from package manifests, 
there are a few tools out there that generate SPDX documents across a 
wide variety of ecosystems.



Have you reviewed the tools referenced on spdx.dev/tools 
<https://spdx.dev/resources/tools/>?  It includes a list of open 
source tools <https://spdx.dev/tools-community/> and a list of 
commercial tools <https://spdx.dev/tools-commercial/>.



Is your question restricted to open source tools?  Also, to help 
understand what you’re looking for, can you let us know which tools 
that generate CycloneDX SBOM’s you’re referring to?



I’m a bit surprised that more tool maintainers didn’t reply earlier 
beyond what Anthony and I provided.  I didn’t want to speak for them, 
but I’m pretty sure there as some tools maintained by folks on this 
distribution list that at least partially provide what you’re looking for.


Gary


*From:* [email protected] <[email protected]> *On Behalf Of 
*[email protected]

*Sent:* Thursday, March 16, 2023 7:40 AM
*To:* [email protected]
*Subject:* Re: [spdx] SPDX Generator with RefIDs and package hierarchy

[Edited Message Follows]

So just to confirm with the community:


There is no single generator that can generate SPDX SBOMs, with 
dependency hierarchies, across different ecosystems (Python, Go, etc.) 
and for both containers & filesystems? The open-sbom-generator seems 
to work for filesystems, but not for containers.



The closest we've found are one or two tools that only generate 
CycloneDX SBOMs, but we're also looking to support SPDX as well.


Daniel





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1641): https://lists.spdx.org/g/spdx/message/1641
Mute This Topic: https://lists.spdx.org/mt/97504626/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
























					Reply via email to