Hi Luis, If you are looking for validation against spec - https://github.com/spdx/tools-python is the best (might need getting used to with the result of the format)
If you are looking for NTIA / Regulatory confirmation, the options are - a) https://github.com/spdx/ntia-conformance-checker b) https://github.com/interlynk-io/sbomqs c) https://github.com/eBay/sbom-scorecard d) https://github.com/anthonyharrison/sbomaudit Of course, I am biased towards our tool - sbomqs, and we have also kept it up to date with new regulations such as BSI's SBOM requirements. However, all of the above tools work well in listing conformance issues. Thanks Surendra On Fri, Jun 21, 2024 at 10:46 AM Dick Brooks via lists.spdx.org <dick= [email protected]> wrote: > BCG uses the online tool and recommends that US Gov entities use the online > tools to validate SBOMs (both SPDX and CycloneDX) as part of the CISA > secure > software risk assessment process (RSAA portal SBOMs) > > > Thanks, > > Dick Brooks > > Active Member of the CISA Critical Manufacturing Sector, > Sector Coordinating Council - A Public-Private Partnership > > Never trust software, always verify and report! T > https://businesscyberguardian.com/ > Email: [email protected] > Tel: +1 978-696-1788 > > > -----Original Message----- > From: [email protected] <[email protected]> On Behalf Of Gary O'Neall > Sent: Friday, June 21, 2024 1:41 PM > To: [email protected] > Subject: Re: [spdx] Validating SPDX files - looking for a tool > > Hi Luis, > > Both the Python tools [1] and the Java tools [2] are supported by the SPDX > community and can validate SPDX files. > There is also an online tool validator [3] which uses the Java tools on the > server. > > Best, > Gary > > [1] https://github.com/spdx/tools-python > [2] https://github.com/spdx/tools-java > [3] https://tools.spdx.org/app/validate/ > > > -----Original Message----- > > From: [email protected] <[email protected]> On Behalf Of Luis > > Soeiro > > Sent: Friday, June 21, 2024 2:19 AM > > To: [email protected] > > Subject: [spdx] Validating SPDX files - looking for a tool > > > > Hello > > > > I'm looking for an open source command line tool that > could > > validate a SPDX file. On the following page: > > > > https://spdx.dev/use/tools/open-source-tools/ > > > > There are some tools listed, but is there an official tool > or > > one that is recommended? > > > > If not, which ones could you recommend? > > > > Thanks, > > > > Luis > > > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1863): https://lists.spdx.org/g/spdx/message/1863 Mute This Topic: https://lists.spdx.org/mt/106803276/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
