This page has a list of commercial tools that support SPDX. To have your tool listed contact the outreach team and follow the instructions.
AIRS helps supply chain partners share data regarding identification of open source components in software packages thus reducing redundant work in a software supply chain. Although initially developed to work with Black Duck® Protex™, AIRS is designed with an abstraction layer to be extensible to other scanning tools.
FOSSology is an open source license compliance software system and toolkit. As a toolkit, you can run license, copyright and export control scans from the command line. As a system, a database and web UI are provided to give you a compliance workflow. License, copyright, and export scanners are tools available to help with your compliance activities. FOSSology can generate SPDX Documents.
The FOSSology+SPDX project is built using the FOSSology project. The FOSSology project focuses on the design and development of a software-scanning tool for identifying licenses and copyrights within select software. Our goal of integrating the FOSSology output with the SPDX standard is to provide an end-to-end open source solution for producing SPDX documents from scanned software packages. The project and was created and is hosted at the University of Nebraska at Omaha. For more information, you can go here. Access to the source is available here
OSIT allows developers to scan, self-verify their source code and report during development. Developers can import or export SPDX documents with the tool to automatically identify potential issues (AIRS is embedded in OSIT)
ScanCode scans code and detect licenses, copyrights, packages manifests & dependencies and more … to discover and inventory open source and third-party packages used in your code. It can even generate SPDX Documents.
A Google Summer of Code project that implemented an SPDX parser in the Go Language. May not be updated to 2.0 of the specification.
A Google Summer of Code project that implemented an SPDX parser in Python. May not be updated to 2.0 of the specification.
Simplifies an SPDX expression (including ones with sub-expressions) down to a list of license choices. Licenses that are OR’d together will be returned as-is and licenses that are AND’d together will be returned as
The TripleCheck reporter is the ideal tool for a quick overlook of the licensing compliance status for a given set of source code files in your desktop computer (Windows, Linux, Mac OSX). If some license or copyright is not detected by the tool, you can easily add new rules by yourself. We are building a community around open source tooling and your help is welcome to grow the open database of licensing rules. Look for us on GitHub.
The Yocto+SPDX project is built to integrate SPDX generation into the Yocto build process. The Yocto Project is an open source collaboration project that provides templates, tools and methods to help create custom Linux-based systems for embedded products regardless of the hardware architecture (http://www.yoctoproject.org). The goal of integrating the Yocto build process with the SPDX standard is to integrate automated SPDX generation in upstream open source projects. The project and was created and is hosted at the University of Nebraska at Omaha.