We are pleased to announce a new repository in the SPDX GitHub organization to provide illustrative examples of SPDX software bills of materials (SBOMs).
For some developers and packagers who are first getting started with creating SBOMs, the expected format for an SPDX document in a particular situation may not be intuitive. The examples in this repo cover a handful of basic use cases, with explanations of the choices made and various features of the SPDX metadata language.
The examples have a particular focus on how multiple SPDX documents can be linked together to express metadata about source code files and binary build artifacts, and the relationships between them.
The initial examples in the repository are for C and Golang projects. We welcome contributions of new use cases, for other programming language ecosystems as well as different situations to represent. If you have a question about how best to represent a particular packaging of software in SPDX, feel free to submit an issue; or if you have an example to add for another use case, please submit a PR!
An SPDX DocFest will be taking place this coming Thursday, September 16, and we anticipate that the comparisons of SPDX documents generated by various tools will continue to drive the discussion of questions and best practices for using SPDX. Although the submission deadline has passed for this DocFest, we expect that there will be others in the future and we look forward to new participants there as well. Examples that emerge from discussions in the DocFest will be added to the repository. If you have questions, feel free to ask on firstname.lastname@example.org.