The SPDX project encourages the development of tools that conform to the Specification and help users, consumers and producers of SPDX documents.
Some of these are developed under the auspices of the SPDX project, but we encourage other open source community tools, as well as commercial vendors, to offer tools that work with SPDX documents in any of the serialization formats (JSON, YAML, tag/value(.spdx), RDF/XML, spreadsheets).
We’ve worked to align the description of each tool with the categories enumerated in the NTIA SBOM Tooling Taxonomy.
For those interested in validating whether a sample SPDX document conforms with the specification, there is a set of free online tools that the SPDX tool community has provided. These tools let you validate that an SPDX document conforms to the specification, as well as providing support for converting between the serialization formats.
To make it easier for other organizations to work with the SPDX document format, a set of libraries and standalone tools have been created by volunteers in the SPDX tooling community to aid the reading and writing of SPDX documents. Library support for the Java, Python, and Go languages are available, in addition to other tools to aid during builds, as described in SPDX Community Tools. Anyone who is interested in helping us improve these tools is welcome to join us.
There are other open source projects that are now producing, consuming and transforming SPDX documents. The ones we’re aware of have been listed
Open Source Projects. If you’re aware of an open source project that is able to work with SPDX documents, please reach out and let the SPDX outreach team know about it, and we’ll work with you to get it added to the list.
For a viable ecosystem to emerge around improving software transparency to handle software bill of materials, and support the different use cases that are out there, there needs to be commercially supported tooling as well as open source projects. If you know of a proprietary tool that should be added to our Commercial Tools list, please let the SPDX outreach team know about it.
Note: The SPDX group does not endorse or, at this time, have a certification program for tool compliance. If you have any concerns or suggested updates, please reach out to the SPDX outreach team to discuss.