Hi everyone, I’m Suman, currently exploring the SPDX ecosystem and particularly interested in SBOM tooling and validation, especially in the context of the GSoC ideas around SPDX 3.0/3.1.
I’ve been working with Go and cloud-native systems, and recently started building a small CLI project ( chainrisk ) focused on supply-chain risk analysis for container ecosystems. While going through the SPDX repositories, I noticed that: * tools-golang supports SPDX 2.x * spdx-go-model provides low-level bindings for SPDX 3.x but there doesn’t seem to be high-level Go tooling yet for SPDX 3.x (e.g., parsing, validation, or developer-friendly APIs). I wanted to ask: * Would extending Go support for SPDX 3.x (building higher-level tooling on top of existing bindings) be considered a valuable direction for the community, particularly in the context of the SBOM conformance checker project? * Or is the expectation to primarily build on top of the existing Python/Java ecosystem for such tooling? I’m particularly interested in exploring a Go-based approach that integrates well with cloud-native workflows (CLI tools, CI/CD pipelines), and wanted to check if this direction aligns with current priorities. Looking forward to your guidance and happy to start contributing in this area. Thanks! — Suman Mandal GitHub: https://github.com/jijo-OO7 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2148): https://lists.spdx.org/g/spdx/message/2148 Mute This Topic: https://lists.spdx.org/mt/118603023/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
