Looks like GitHub has a self service option to create SBOMs for a GitHub Project based on SPDX!
See this blog from them.
Phil Odence, the Chair for SPDX, has written a very informative article on why you should use SPDX for Security and even goes onto to address some of the common Myths around SPDX. It was published on Linux.com.
After much hard work and anticipation, we are proud to announce that the SPDX Specification is now an ISO Standard! We want to thank everyone who helped make this happen. This represents a significant milestone for the project and will help industry adoption of standardized Software Bill of Materials.
Specification: ISO/IEC 5962:2021 .
Our press release: SPDX Becomes Internationally Recognized Standard for Software Bill of Materials.
Although it has become an ISO Standard, we will continue to develop and evolve the SPDX specification in the open via our community using our GitHub Repository.
– SPDX Core Team
The Linux Foundation will be hosting a supply chain townhall virtually on August 18, 2021.
View this link for details: Linux Foundation Town Hall
There are a number of talks and rooms around SPDX at FOSSDEM 2021 February 6 and 7. See the software composition track: https://fosdem.org/2021/schedule/track/software_composition/
Greetings to the community,
We are excited about the hosting of the SPDX tools on a more robust and hopefully permanent platform. A new URL for the SPDX online tools is now be available at https://tools.spdx.org.
We want to thank everyone for using the tools and providing us with valuable feedback and to those who helped donate for the new hosting via the SPDX Community Bridge for the online tools.
A new version of the online tools implementing several enhancements and an improved deployment infrastructure is currently in test. Once the testing and the upgrade is complete in 2 to 4 weeks, any previous links used for the tools will no longer be available, so be sure to bookmark the new location.
The new version has the following enhancements:
- License submittals will now check for existing license matches
- If there is an exact match, the application will inform the user and not accept the new submittal
- If there is a close match, the user is presented with the differences and can chose to submit an issue that the licenses should match, or chose to submit a new license request
- A higher performance license matching implementation
- A license namespace registry has been added to allow organizations to submit license namespace requests
- Various application enhancements and fixes
If you find any issues or would like to request any enhancements, please add them to the spdx-online-tools Issues list.
Thanks to the many students, mentors and SPDX team members who have contributed to the online tools including Rohit who was the originator of the online tools and mentor to many students, Smith who contributed the namespace functionality, Umang who implemented the improved license submittal, Mehant who contributed the Docker deployment implementation, and Steve who help us obtain the new URL.
On August 20th, the Software Package Data Exchange® (SPDX®) specification was submitted to ISO for consideration as a Publicly Available Specification. The Joint Development Foundation (which is part of the Linux Foundation) submitted the specification to JTC1 for balloting. We are now awaiting feedback from the coordinators, and hope to see it available for balloting soon.