SPDX Tools

Application Collection – SBOM Viewer

The SBOM viewer is a web tool that lets you display SPDX and CycloneDX SBOMS in a human friendly way.

Users can pick any local SBOM following one of those specifications. The tool will detect the file format, and will summarize the relevant content instantly.

Everything happens offline: no data is sent to the internet and the visualization is rendered on the client side, which is great from a privacy perspective. Registration isn’t needed either to use the tool.

Contact

https://www.rancher.com/contact

SPDX verification

The JSON is parsed with JavaScript native libraries, and then key properties are validated in the resulting Objects to ensure the incoming SBOMs validity.

How to procure

Go to https://apps.rancher.io/sbom-viewer and follow the instructions there: select a local SPDX SBOM to display. No login/registration is required.

Installation instructions

No installation needed. Only internet connection to reach the tool site.

Link to quick start guide

https://apps.rancher.io/sbom-viewer

Classification

Consume/View

Version Support

2.3

Website

Augur

Augur is a tool for consumption of open source software health and Sustainability metrics & data collection. One of the functionalities of a standard Augur implementation is to scan projects to collect license information and create SPDX Documents with the resulting information. Augur APIs and web UI are available for the creation of SPDX documents. See the primary Augur instance at http://augur.osshealth.io/ for demonstration.

Website

• http://www.augurlabs.io/

SPDX verification

• NA

How to Procure

• https://github.com/chaoss/augur/

Installation Instructions

Quick Start Guide

• NA

Classification

Produce/Analyze

Version Support

2.1

Website

Black Duck SCA

Black Duck® software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from using open source and third-party code in applications. Manage software supply chain risks and make software bills of materials (SBOMs) part of the entire app lifecycle. Import SBOMs, automatically map dependencies, and document new components from custom or commercial dependencies. Export SPDX reports with standard or custom fields, automate SBOM generation, and monitor SBOM dependencies for emergent risks.

Contact

info@blackduck.com

SPDX verification

Black Duck uses the https://github.com/spdx/Spdx-Java-Library to generate SPDX compliant SBOMs. The https://github.com/spdx/Spdx-Java-Library is used to validate that SBOMs imported into Black Duck meet the SPDX specifications. Logs and references to specific lines causing the verification to fail are available if the SBOM being imported does not pass verification.

How to procure

Visit https://www.blackduck.com/software-composition-analysis-tools/black-duck-sca.html for more information. Contact us to schedule a demo or with questions at https://www.blackduck.com/contact-sales.html

Installation instructions

Black Duck SCA may be run on-premises or as a hosted solution. Complete installation and use documentation may be found within the Black Duck SCA documentation. https://documentation.blackduck.com/bundle/bd-hub/page/Welcome.html

Link to quick start guide

https://documentation.blackduck.com/bundle/bd-hub/page/Welcome.html

Classification

Consume/Diff, Consume/Import, Produce/Analyze, Produce/Build, Produce/Edit, Transform/Merge, Transform/Translate

Version Support

2.2, 2.3, 3.0 In Process

Website

bom

bom is the SBOM tool written by the kubernetes community to generate the bill of materials of kubernetes releases. The tool is used by several cloud native projects to generate their SBOMs.

bom can generate sbom through analysis of several sources. Supports output in TAGtag-value format and JSON. It also supports visualization and querying of documents.

Contact

https://github.com/kubernetes-sigs/bom

SPDX verification

NA

How to procure

https://github.com/kubernetes-sigs/bom

Installation instructions

Link to quick start guide

https://github.com/kubernetes-sigs/bom/blob/main/docs/create-a-bill-of-materials.md

Classification

Consume/View, Produce/Analyze, Produce/Build, Transform/Tool Support

Version Support

2.3

Website

BOMSkope

BOMSkope is a web-based Software Bill of Materials (SBOM) manager that simplifies tracking components from vendors. It helps you discover and monitor potential vulnerabilities in your vendors’ software components, offering greater visibility into your overall security posture.

Contact

https://github.com/netskopeoss/BOMSkope

SPDX verification

BOMSkope leverages the spdx-tools PyPI library to validate and analyze uploaded SPDX files.

How to procure

BOMSkope is available through our releases and can be built locally or through Docker.

Installation instructions

https://github.com/netskopeoss/BOMSkope/blob/main/README.md

Link to quick start guide

https://github.com/netskopeoss/BOMSkope/blob/main/BOMSkope%20-%20Documentation.pdf

Classification

Consume/Import, Consume/View

Version Support

2.2, 2.3

Website

CAST Highlight

CAST Highlight is a software intelligence product, available as SaaS, that provides rapid insights across a portfolio of applications. It acts as an application ‘control tower’ by automatically understanding the source code of hundreds of applications in hours and delivering actionable insights on Software Composition Analysis (open source risks, SBOM), Software Health (resiliency, agility, technical debt), Cloud Maturity, and Green Impact. Built-in surveys capture organizational context for more informed decision-making about application portfolios enabling smarter portfolio governance, faster modernization for cloud, better open source risk control, and greener software.ries

Contact

g.rivera@castsoftware.com

SPDX verification

We used this library to validate SPDX compatibility: https://github.com/spdx/Spdx-Java-Library/releases

How to procure

Users can purchase directly from CAST or on the AWS, Azure, and Google Cloud Marketplaces. Pricing is available here: https://www.castsoftware.com/highlight/pricing

Installation instructions

Full documentation is available here: https://doc.casthighlight.com/

Link to quick start guide

https://doc.casthighlight.com/Getting-Started-Guide.pdf

Classification

Consume/Diff, Consume/Import, Consume/View, Produce/Analyze, Produce/Edit, Transform/Merge, Transform/Tool Support, Transform/Translate

Version Support

2.3, 3.0 In Process

Website

Cavil

Cavil is a legal review and Software Bill of Materials (SBOM) system for the Open Build Service. It is used in the development of openSUSE Tumbleweed, openSUSE Leap, as well as SUSE Linux Enterprise.

SPDX verification

• NA

How to Procure

• https://github.com/openSUSE/cavil

Installation Instructions

• https://github.com/openSUSE/cavil#getting-started

Quick Start Guide

• https://github.com/openSUSE/cavil/blob/master/README.md

Classification

Produce/Analyze

Version Support

2.2

Website

Cyberwatch

Cyberwatch Vulnerability Manager is a comprehensive vulnerability management solution. It allows you to discover your assets, scan and prioritize vulnerabilities, make the right decisions and fix vulnerabilities.

Contact

contact@cyberwatch.fr

SPDX verification

We use SBOM audit to check your SPDX generated file : https://github.com/anthonyharrison/sbomaudit

How to procure

Users can purchase directly from Cyberwatch website : https://cyberwatch.fr/en/

Installation instructions

The technical documentation is available here : https://docs.cyberwatch.fr/help/en/use_assets/use_asset_form/#sbom-file

Link to quick start guide

https://docs.cyberwatch.fr/help/en/

Classification

Consume/Import, Consume/View, Produce/Analyze, Produce/Build

Version Support

2.3

Website

CycloneDX CLI

A command line tool incorporating many common utilities including converting between SBOM formats.

SPDX verification

• NA

How to Procure

• https://github.com/CycloneDX/cyclonedx-cli

Installation Instructions

• NA

Quick Start Guide

• https://github.com/CycloneDX/cyclonedx-cli

Classification

Consume/Diff, Consume/View, Transform/Merge, Transform/Translate

Version Support

2.2

dependency-management-data

Dependency Management Data (DMD) is a set of tooling to get a better understanding of the use of dependencies across your organisation.

The project consumes various formats (including SPDX SBOMs) and can then provide insight into use of deprecated, unmaintained or insecure packages, as well as providing a queryable interface (using SQL or GraphQL, so you can target changes across your projects and organisation more appropriately.

SPDX verification

https://dmd.tanna.dev/cookbooks/getting-started-sbom/ + we use the official library

How to procure

Build from source:

go install dmd.tanna.dev/cmd/dmd@latest

Or use pre-built binaries:

https://gitlab.com/tanna.dev/dependency-management-data/-/releases/

Installation instructions

dmd db init --db /path/to/output.db
dmd import sbom --db /path/to/output.db ...

Link to quick start guide

https://dmd.tanna.dev/cookbooks/getting-started-sbom/

Classification

Consume/View, Produce/Analyze

Version Support

2.2, 2.3

Website

distro2sbom

The DISTRO2SBOM generates a SBOM (Software Bill of Materials) for either an installed application or a complete system installation in a number of formats including SPDX and CycloneDX. An SBOM for an installed package will identify all of its dependent components.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.

SPDX verification

• NA

How to Procure

• https://pypi.org/project/distro2sbom/

Installation Instructions

• https://pypi.org/project/distro2sbom/

Quick Start Guide

• https://pypi.org/project/distro2sbom/

Classification

Produce/Analyze

Version Support

2.2, 2.3

Website

FOSSLight

FOSSLight supports organizations to develop and distribute software containing open source software that needs to follow the OSC(Open Source Compliance) process. FOSSLight Hub is an integrated system that can manage license compliance as well as open source vulnerability and monitoring by project.

SPDX verification

• NA

How to Procure

• https://github.com/fosslight/fosslight

Installation Instructions

• https://fosslight.org/fosslight-guide-en/started/1_install.html

Quick Start Guide

• https://fosslight.org/fosslight-guide-en/tutorial/

Classification

Consume/Import, Consume/View, Produce/Analyze, Transform/Merge, Transform/Translate

Version Support

2.2

Website

FOSSology

FOSSology is an open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from a REST API.

As a system, a database and web UI are provided to provide a compliance workflow.

As part of the toolkit multiple license scanners, copyright and export scanners are tools available to help with compliance activities.

SPDX verification

• NA

How to Procure

• https://github.com/fossology

Installation Instructions

• https://www.fossology.org/get-started/

Quick Start Guide

• https://www.fossology.org/get-started/basic-workflow/

Classification

Consume/Diff, Consume/View, Produce/Analyze, Transform/Merge, Transform/Tool Support, Transform/Translate

Version Support

2.1, 2.2

Website

GitHub Self-Service SBOMs

GitHub provides an Export SBOM function that allows anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SPDX SBOM with a single click. The resulting JSON file saves project dependencies and metadata, like versions and licenses in the industry standard SPDX format, which can then be used with security and compliance workflows and tools, or reviewed in Microsoft Excel (use a JSON-to-CSV converter for compatibility with Google Sheets).Contact

SPDX verification

NA

How to procure

https://github.com/fossology

Installation instructions

N/A – available in every GitHub repo

Link to quick start guide

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository

Classification

Produce/Analyze

Version Support

2.3

Website

GUAC (Graph for Understanding Artifact Composition)

GUAC aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

Contact

https://guac.sh/

SPDX verification

GUAC uses the SPDX Golang tooling

How to procure

Download binaries or build from source.

Installation instructions

https://docs.guac.sh/getting-started/

Link to quick start guide

https://docs.guac.sh/getting-started/

Classification

Consume/Import, Transform/Tool Support

Version Support

2.3

Website

in-toto

Creates attestations to link artifacts together as they move through the chain of custody.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/in-toto/

Installation instructions

https://in-toto.readthedocs.io/en/latest/installing.html

Link to quick start guide

NA

Classification

Produce/Build

Version Support

2.3

Website

Interlynk

Interlynk SBOM Platform supports a free tier for unlimited importing, editing, translating SBOM, vulnerability scanning, in-place VEX generation, and policy enforcement.

Contact

hello@interlynk.io

SPDX verification

The Interlynk platform built a custom validator that checks for SPDX 2.2 and 2.3, with SPDX 3.0 work in progress. The validator checks for syntax, specification, and a number of regulatory checks.

How to procure

Contact hello@interlynk.io or book a demo https://calendly.com/interlynkio

Installation instructions

Interlynk is a software as a service or an on-premise solution, depending on the partner’s requirements.

Link to quick start guide

NA

Classification

Consume/Diff, Consume/Import, Consume/View, Produce/Analyze, Produce/Build, Produce/Edit, Transform/Merge, Transform/Tool Support, Transform/Translate

Version Support

2.2, 2.3

Website

lib4sbom

Lib4SBOM is a library to parse and generate Software Bill of Materials (SBOMs). It supports SBOMs created in both SPDX and CycloneDX formats. It has been developed on the assumption that having a generic abstraction of SBOM regardless of the underlying format will be useful to developers.

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/lib4sbom/

Installation instructions

https://pypi.org/project/lib4sbom/

Link to quick start guide

https://pypi.org/project/lib4sbom/

Classification

Transform/Tool Support

Version Support

2.2, 2.3

Website

Manifest

Manifest is an end-to-end SBOM management platform, addressing every phase of the SBOM lifecycle. Manifest can be used to collect SBOMs from third parties, generate them from internal applications, analyze SBOMs for vulnerabilities, contextualize vulnerabilities with exploitability, and securely share and create tickets/reports. Manifest is trusted by governments, F500, automotive, financial services, manufacturing, healthcare, defense, and other enterprises around the world.

Contact

info@manifestcyber.com

SPDX verification

We rely on SPDX-compliant SBOM generators when a user provides the SPDX flag as an input in their chosen generator, and then we perform minimum spec compliance and apply some “SBOM healing” if the generator is missing basic details.

How to procure

Manifest is available through most major resellers and directly. To begin the process, email info@manifestcyber.com and we’ll be happy to help.

Installation instructions

Manifest is available as a software-as-a-service (SaaS) application, and no installation is required for SBOM management. For SBOM generation, we offer integrations with GitHub and CircleCI, as well as a lightweight CLI.

Classification

Consume/Import, Consume/View, Produce/Analyze, Produce/Build, Produce/Edit, Transform/Merge, Transform/Translate

Version Support

2.0, 2.1, 2.2, 2.3

Website

Nix/Nixpkgs

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Nixpkgs is a collection of over 80,000 software packages with verifiable transitive SBOMs already in existence.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/NixOS/nix and https://github.com/NixOS/nixpkgs

Installation instructions

https://nixos.org/download.html

Link to quick start guide

https://nixos.org/download.html

https://edolstra.github.io/pubs/phd-thesis.pdf

Classification

Produce/Build

Version Support

2.2

Website

ntia-conformance-checker

This tool determines whether a SPDX SBOM document contains the National Telecommunications and Information Administration (NTIA) “minimum elements”.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/spdx/ntia-conformance-checker

Installation instructions

https://github.com/spdx/ntia-conformance-checker#installation

Link to quick start guide

https://github.com/spdx/ntia-conformance-checker#installation

Classification

Consume/Import

Version Support

2.2, 2.3

Website

Open Source Review Toolkit (ORT)

Creates SPDX SBOMs from a variety of package managers during builds of products. Support SPDX package/project manifest.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/oss-review-toolkit/ort

Installation instructions

https://github.com/oss-review-toolkit/ort#installation

Link to quick start guide

https://github.com/oss-review-toolkit/ort/blob/master/docs/getting-started.md

Classification

Consume/Diff, Consume/Import, Produce/Build

Version Support

2.2

Website

OpenChain Telco SBOM validator

The OpenChain Telco SBOM validator allows to check conformance of an SPDX SBOM to the OpenChain Telco SBOM Guide Version 1.0: https://openchainproject.org/news/2024/07/30/openchain-telco-sbom-guide-general-availability

Contact

https://lists.openchainproject.org/g/telco

SPDX verification

OpenChain Telco SBOM validator checks that the SBOM is valid SPDX using the SPDX Python library https://github.com/spdx/tools-python

How to procure

Tool can be downloaded at https://github.com/OpenChain-Project/Telco-WG/tree/main/tools/openchain_telco_sbom_validator

Installation instructions

Installation instructions and documentation are available at https://github.com/OpenChain-Project/Telco-WG/tree/main/tools/openchain_telco_sbom_validator

Link to quick start guide

NA

Classification

Consume/View

Version Support

2.2, 2.3

Website

Parlay

Parlay is a tool to enrich SBOMs with information taken from external services.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/snyk/parlay

Installation instructions

https://github.com/snyk/parlay?tab=readme-ov-file#installation

Link to quick start guide

https://github.com/snyk/parlay/blob/main/README.md

Classification

Consume/Import, Transform/Tool Support, Transform/Translate

Version Support

2.3

Website

PkgToSoftwareBOM.jl

PkgToSoftwareBOM.jl produces an SBOM describing your Julia environment in the SPDX format. The SBOM includes:

• A complete package dependency list
• A complete binary artifact dependency list
• A best effort determination of the declared software license for all packages and binaries

Contact

savery@ieee.org

SPDX verification

Used the online SPDX validation tool on example SBOMs generated during the development process. For an output example see:
https://github.com/SamuraiAku/PkgToSoftwareBOM.jl/blob/v0.1.12/examples/Environment_Example1.spdx.json

How to procure

https://github.com/SamuraiAku/PkgToSoftwareBOM.jl

PkgToSoftwareBOM is a registered Julia package. Users install it using the Julia package manager.

Installation instructions

User documentation is found in the package README

Link to quick start guide

https://github.com/SamuraiAku/PkgToSoftwareBOM.jl/blob/v0.1.12/README.md

Classification

Produce/Build

Version Support

2.3

Website

Polaris Software Integrity Platform

The Polaris Platform® uses its fAST SCA (software composition analysis) engine to help teams manage the security, quality, and license compliance risks that come from using open source and third-party code in applications. Manage software supply chain risks and make software bills of materials (SBOMs) part of the entire app lifecycle.

Contact

info@blackduck.com

SPDX Verification

Polaris fAST SCA uses the https://github.com/spdx/Spdx-Java-Library to generate SPDX compliant SBOMs.

How to Procure

Visit https://www.blackduck.com/platform.html for more information. Contact us to schedule a demo or with questions at https://www.blackduck.com/contact-sales.html

Installation Instructions

The Polaris Platform is a cloud-hosted, as-a-service application security testing (AST) platform. Users may log in, set up SSO, and connect via API and other out-of-the-box SDLC integrations. For more information, review the Polaris documentation at https://documentation.blackduck.com/bundle/polaris/page/documentation/r_org-how.html

Quick Start Guide

https://documentation.blackduck.com/bundle/polaris/page/documentation/c_product-overview.html

Classification

Consume/Diff, Consume/Import, Consume/View, Produce/Analyze, Produce/Build, Produce/Edit, Transform/Merge, Transform/Tool Support, Transform/Translate

Version Support

2.0, 2.1, 2.2, 2.3, 3.0 Complete, 3.0 In Process

Website

Protobom

A universal SBOM representation in protocol buffers. Translates between SPDX and CycloneDX SBOM formats.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/bom-squad/protobom

Installation instructions

NA

Link to quick start guide

NA

Classification

Consume/Import, Transform/Translate

Version Support

2.3

Renovate-to-SBOM

renovate-to-sbom allows converting data dumps from Renovate and converts them to i.e. an SPDX output.

The SBOMs aren’t of the highest of quality, but they’re a good start.

How to procure

Build from source:

go install dmd.tanna.dev/cmd/renovate-to-sbom@latest

Installation instructions

renovate-to-sbom '../out/*.json'      --out-format spdx2.3+json

Link to quick start guide

NA

Classification

Produce/Build

Version Support

2.2, 2.3

Website

Reuse

The REUSE helper tool assists with achieving and confirming REUSE compliance. It downloads the full license texts, adds copyright and license information to file headers, and contains a linter to identify problems. With it, you can generate a software bill of materials.

Contact

NA

SPDX verification

NA

How to procure

https://git.fsfe.org/reuse/tool

Installation instructions

https://git.fsfe.org/reuse/tool/src/branch/master/README.md

Link to quick start guide

https://reuse.software/tutorial/

Classification

Produce/Analyze, Produce/Build

Version Support

2.1, 2.2, 2.3

Website

sbom-manager

The SBOM Manager is a free, open source tool to help manage a collection of SBOMs(Software Bill of Materials) in a number of formats including SPDX and CycloneDX.

The tool has two modes of operation:

1. A repository which maintains the set of components which have been included as part of a release or build of a software product.
2. Tools for quering the inclusion of specific products in a project development to answer some commmon use cases.

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/sbom-manager/

Installation instructions

https://pypi.org/project/sbom-manager/

Link to quick start guide

https://pypi.org/project/sbom-manager/

Classification

Consume/View

Website

sbom-tool

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts. The tool uses the Component Detection libraries to detect components and the ClearlyDefined API to populate license information for these components.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/microsoft/sbom-tool

Installation instructions

https://github.com/microsoft/sbom-tool#download-and-installation

Link to quick start guide

Classification

Produce/Analyze

Version Support

2.2

Website

sbom2doc

SBOM2DOC documents and summarises the components within an SBOM (Software Bill of Materials). SBOMS are supported in a number of formats including SPDX and CycloneDX.

Contact

SPDX verification

NA

How to procure

https://pypi.org/project/sbom2doc/

Installation instructions

https://pypi.org/project/sbom2doc/

Link to quick start guide

https://pypi.org/project/sbom2doc/

Classification

Consume/View

Version Support

2.2, 2.3

Website

sbom2dot

SBOM2DOT generates a dependency graph of the components within an SBOM (Software Bill of Materials). The format of the graph file is compatible with the DOT language used by the GraphViz application. SBOMs are supported in a number of formats including SPDX and CycloneDX.

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/sbom2dot/

Installation instructions

https://pypi.org/project/sbom2dot/

Link to quick start guide

https://pypi.org/project/sbom2dot/

Classification

Consume/View

Version Support

2.2, 2.3

Website

sbom4files

SBOM4Files generates a SBOM (Software Bill of Materials) for a directory in a number of formats including SPDX and CycloneDX. It identifies all files within a directory and includes license and copyright information, where possible, for each file.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained, typically through the build development phase, and also to support subsequent audit needs to determine if a particular component has been used.

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/sbom4files/

Installation instructions

https://pypi.org/project/sbom4files/

Link to quick start guide

https://pypi.org/project/sbom4files/

Classification

Produce/Build

Version Support

2.2, 2.3

Website

sbom4python

The SBOM4Python is a free, open source tool to generate a SBOM (Software Bill of Materials) for an installed Python module in a number of formats including SPDX and CycloneDX. It identifies all of the dependent components which are explicity defined (typically via requirements.txt file) or implicitly as a hidden dependency.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/sbom4python/

Installation instructions

https://pypi.org/project/sbom4python/

Link to quick start guide

https://pypi.org/project/sbom4python/

Classification

Produce/Build

Version Support

2.2, 2.3

Website

sbom4rust

SBOM4Rust generates a SBOM (Software Bill of Materials) for Rust application or library in a number of formats including SPDX and CycloneDX. It identifies all the dependent components which are explicity defined in the Cargo.lock file and reports the relationships between the components.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/sbom4rust/

Installation instructions

https://pypi.org/project/sbom4rust/

Link to quick start guide

https://pypi.org/project/sbom4rust/

Classification

Produce/Build

Version Support

2.2, 2.3

sbomaudit

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/sbomaudit/

Installation instructions

https://pypi.org/project/sbomaudit/

Link to quick start guide

https://pypi.org/project/sbomaudit/

Classification

Consume/View

Version Support

2.2, 2.3

Website

sbomdiff

SBOMDiff is a tool to compare two Software Bill of Materials (SBOM) files and reports the differences. It supports SBOMs created in both SPDX and CycloneDX formats.

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/sbomdiff/

Installation instructions

https://pypi.org/project/sbomdiff/

Link to quick start guide

https://pypi.org/project/sbomdiff/

Classification

Consume/Diff

Version Support

2.2

Website

sbommerge

SBOMMerge merges two Software Bill of Materials (SBOMs) documents together. It supports SBOMs created in both SPDX and CycloneDX formats.

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/sbommerge/

Installation instructions

https://pypi.org/project/sbommerge/

Link to quick start guide

https://pypi.org/project/sbommerge/

Classification

Transform/Merge

Version Support

2.2, 2.3

sbomqs – Quality metrics for SBOMs

sbomqs is an open-source tool to assess the details and compliance state of SBOM. The tool converts compliance requirements into checks expressed as a score 0-9 or a JSON report. The checks can be customized based on the SBOM’s intended use case.

Contact

https://github.com/interlynk-io/sbomqs

SPDX verification

sbomqs uses the SPDX golang tool for analysis.

How to procure

sbomqs is available through source, binaries, package or homebrew

Installation instructions

Installation

Link to quick start guide

Quick Start

Classification

Consume/Import, Consume/View

Version Support

2.2, 2.3

Website

sbomtrend

SBOMTrend analyses a directory of SBOM (Software Bill of Materials) in either SPDX and CycloneDX formats. It analyses all SBOM files within a directory and identifies license and version changes, for each component.

Contact

NA

SPDX verification

NA

How to procure

https://pypi.org/project/sbomtrend/

Installation instructions

https://pypi.org/project/sbomtrend/

Link to quick start guide

https://pypi.org/project/sbomtrend/

Classification

Consume/Diff

Version Support

2.2, 2.3

Website

ScanCode Toolkit

ScanCode detects licenses, copyrights, package manifests and direct dependencies and more both in source code and binary files..

• As a standalone command line tool, ScanCode is easy to install, run and embed in your CI/CD processing pipeline. It runs on Windows, macOS and Linux.
• Written in Python, ScanCode is easy to extend with plugins to contribute new and improved scanners, data summarization, package manifest parsers and new outputs.
• Scan results can be saved as JSON, HTML, CSV or SPDX.

There is a companion ScanCode workbench GUI app to review and display scan results, statistics and graphics.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/nexB/scancode-toolkit

Installation instructions

https://github.com/nexB/scancode-toolkit#installation

Link to quick start guide

https://github.com/nexB/scancode-toolkit#quick-start

To generate SPDX documents use option:

--spdx-rdf FILE (for SPDX RDF document)

--spdx-tv FILE (for SPDX Tag/Value document)

See also: https://scancode-toolkit.readthedocs.io/en/latest/

Classification

Produce/Analyze

Version Support

2.1, 2.2

Website

SCANOSS

Software Composition Analysis (SCA)

Contact

NA

SPDX verification

NA

How to procure

https://github.com/scanoss

Installation instructions

https://github.com/scanoss/platform/blob/master/DEPLOYMENT.md

Link to quick start guide

NA

Classification

Consume/Import, Produce/Analyze

Version Support

2.2

Website

SPDX Golang Libraries

Tools-golang is a collection of Go packages intended to make it easier for Go programs to work with SPDX files.

Contact

SPDX Technical Team: Spdx-tech@lists.spdx.org

SPDX verification

Participate in SPDX DocFests.

How to procure

https://github.com/spdx/tools-golang

Installation instructions

https://github.com/spdx/tools-golang

Link to quick start guide

https://github.com/spdx/tools-golang#what-it-does

Classification

Produce/Analyze, Produce/Build, Transform/Tool Support, Transform/Translate

Version Support

2.1, 2.2, 2.3, 3.0 In Process

Website

SPDX Java Libraries and Tools

Support consuming and producing SPDX documents within a Java language environment.  Includes several useful utilities such as comparison of SPDX documents, license matching, and conversion of formats.

Can also be used as a command line utility.  Following are the supported commands:

• TagToSpreadsheet – Convert a tag format input file to a spreadsheet output file
• TagToRDF – Convert a tag format input file to an RDF format output file
• RdfToTag – Convert an RDF format input file to a tag format output file
• RdfToHtml – Convert an RDF format input file to an HTML web page output file
• RdfToSpreadsheet – Convert an RDF format input file to a spreadsheet format output file
• SpreadsheetToRDF – Convert a spreadsheet input file to an RDF format output file
• SpreadsheetToTag – Convert a spreadsheet input file to a tag format output file
• SPDXViewer – Display an SPDX document input file (in either tag/value or RDF format)
• CompareMultipleSpdxDocs – Compare multiple SPDX documents (in either tag/value or RDF formats) and output to a spreadsheet
• CompareSpdxDocs – Compare two SPDX documents (in either tag/value or RDF format)
• GenerateVerificationCode – Generate a Verification Code from a directory of files.

Contact

SPDX Technical Team: Spdx-tech@lists.spdx.org

SPDX verification

Participate in SPDX DocFests.

How to procure

https://github.com/spdx/tools-java

Installation instructions

Tools can be used online at https://tools.spdx.org/app/ or installed as a command line (see https://github.com/spdx/tools-java/blob/master/README.md)

Link to quick start guide

https://github.com/spdx/tools-java/blob/master/README.md

Classification

Consume/Diff, Consume/Import, Consume/View, Produce/Analyze, Produce/Build, Transform/Tool Support, Transform/Translate

Version Support

2.0, 2.1, 2.2, 2.3, 3.0 In Process

Website

SPDX Javascript Libraries

Support consuming and producing SPDX documents within a Node and JavaScript language environment.

The library is currently under development and is semi-stable.

Contact

SPDX Technical Team: Spdx-tech@lists.spdx.org

SPDX verification

Participate in SPDX DocFests.

How to procure

https://github.com/spdx/spdx-tools-js

Installation instructions

See https://github.com/spdx/spdx-tools-js#installation-and-usage

Link to quick start guide

The library is currently under development and is semi-stable.  See the README for the current status.

Classification

Produce/Analyze, Transform/Tool Support, Transform/Translate

Version Support

2.1

Website

SPDX Maven Plugin

Automated production of an SPDX document for a Maven build environment.

Contact

SPDX Technical Team: Spdx-tech@lists.spdx.org

SPDX verification

Participate in SPDX DocFests.

How to procure

https://github.com/spdx/spdx-maven-plugin

Installation instructions

See https://github.com/spdx/spdx-online-tools#installation

Link to quick start guide

See https://github.com/spdx/spdx-maven-plugin#usage

Classification

Produce/Analyze, Produce/Build

Version Support

2.1, 2.2, 2.3

Website

SPDX OnLine Tools

Online utility with several functions to examine, transform, and edit SPDX documents.

Contact

SPDX Technical Team: Spdx-tech@lists.spdx.org

SPDX verification

Results compared with SPDX Python Tools.

How to procure

Website: https://tools.spdx.org/app/

Source: https://github.com/spdx/spdx-online-tools

Installation instructions

See https://github.com/spdx/spdx-online-tools#installation

Link to quick start guide

See the website

For access to the tools through an online API – see https://github.com/spdx/spdx-online-tools#how-to-use-api

Classification

Consume/Diff, Consume/Import, Consume/View, Transform/Tool Support, Transform/Translate

Version Support

2.1, 2.2, 2.3

Website

SPDX Python Libraries

Support consuming and producing SPDX documents within a Python language environment.

Contact

SPDX Technical Team: Spdx-tech@lists.spdx.org

SPDX verification

Results compared with SPDX Java Tools.

How to procure

https://github.com/spdx/tools-python

Installation instructions

https://github.com/spdx/tools-python#installation

Link to quick start guide

https://github.com/spdx/tools-python#how-to-use

Classification

Produce/Analyze, Transform/Tool Support, Transform/Translate

Version Support

2.0, 2.1, 2.2, 2.3

Website

spdx-sbom-generator

Spdx-sbom-generator is a tool to help those in the community that want to generate SPDX Software Bill of Materials (SBOMs) with current package managers. It has a command line Interface (CLI) that lets you generate SBOM information, including components, licenses, copyrights, and security references of your software using SPDX v2.2 specification and aligning with the current known minimum elements from NTIA.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/opensbom-generator/spdx-sbom-generator

Installation instructions

https://github.com/opensbom-generator/spdx-sbom-generator#installation

Link to quick start guide

https://github.com/opensbom-generator/spdx-sbom-generator#command-options
$ ./spdx-sbom-generator -o /out/spdx/

Classification

Produce/Analyze

Version Support

2.2, 2.3

Website

SW360

SW360 is a software component catalogue application – designed to work with FOSSology.

SW360 is a server with a REST interface and a liferay portal application to maintain your projects / products and the software components within.

It can manage SPDX files for checking the license conditions and maintain license information.

In addition to license information, SW360 can import Software BOM files in SPDX format to automatically create records for software components and a product in the database.

Contact

N

SPDX verification

NA

How to procure

https://github.com/eclipse/sw360

Installation instructions

https://github.com/eclipse/sw360/wiki#deploying-sw360

Link to quick start guide

https://github.com/sw360/sw360slides

Classification

Consume/Diff, Consume/Import, Consume/View, Transform/Merge

Version Support

2.1, 2.2, 2.3

Website

Syft

Syft is a content analyzer and SBOM generator for container images and filesystems. Syft supports a large variety of package ecosystems and can provide output in several formats. Syft also includes a first-class Go library that can be leveraged for SBOM capabilities within other projects.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/anchore/syft

Installation instructions

https://github.com/anchore/syft#installation

Link to quick start guide

$ syft <image> -o spdx-tag-value@2.2
$ syft <image> -o spdx-json

Classification

Produce/Analyze, Transform/Translate

Version Support

2.2

Website

Tern

Tern is a software composition analysis tool and Python library that generates an SBOM for container images and Dockerfiles. Tern also has the ability to integrate and extend the functionality of other inspection tools like Scancode to find file level metadata information.

Contact

NA

SPDX verification

NA

How to procure

https://github.com/tern-tools/tern

Installation instructions

https://github.com/tern-tools/tern#getting-started

Link to quick start guide

$ tern report -f spdxtagvalue -i <container> -o spdx.txt
$ tern report -f spdxtagvalue -d <Dockerfile> -o spdx.txt

Classification

Produce/Analyze

Version Support

2.2, 2.3

Website

Threatrix

Snippet level copy/paste & AI Code detection with 99.9% accuracy create dynamic, hyper-accurate SBOMs

Contact Email or URL

john@threatrix.io

SPDX verification

Automated testing against specification for each version

How to procure

Free trial. Subscriptions with credit card or purchase order.

Installation instructions

installation not required for trial. CLI deploys in build server

Link to quick start guide

https://docs.threatrix.io/

Classification

Consume/Diff, Consume/Import, Consume/View, Produce/Analyze, Produce/Build, Produce/Edit, Transform/Tool Support, Transform/Translate

Version Support

2.2, 2.3, 3.0 Complete

Website

Vigilant Ops InSight

Vigilant Ops InSight is a cloud-based platform utilized by both SBOM Producers and SBOM Consumers. Producers use the platform for generating, maintaining, and securely sharing SBOMs with Consumers. The InSight platform leverages advanced technology, artificial intelligence, and machine learning algorithms to continuously monitor public data sources for component vulnerability updates.

Contact

info@vigilant-ops.com

SPDX verification

The platform supports import and export of SBOM data in SPDX 2.2 and 2.3.

How to procure

Provide you information here https://www.vigilant-ops.com/get-demo/ and we will contact you. Or email info@vigilant-ops.com

Installation instructions

SBOM generation tools can be downloaded from the SAAS platform.

Link to quick start guide

NA

Classification

Consume/Diff, Consume/Import, Consume/View, Produce/Analyze, Produce/Build, Produce/Edit, Transform/Tool Support

Version Support

2.2, 2.3

Website

Yocto Project / OpenEmbedded

Yocto project through the OpenEmbedded build system supports creation of embedded system distros, including Linux and other RTOSes.  SBOM data is generated using the extensive metadata that Yocto already track about software it is building. This includes license descriptions, build time dependencies, runtime dependencies, and scanning of debug data for source code relationships. The output from the tool is a collection of SPDX json files with a rich set of inter-document references.

Contact

NA

SPDX verification

NA

How to procure

https://git.openembedded.org/openembedded-core/tree/meta/classes/create-spdx.bbclass

Installation instructions

https://docs.yoctoproject.org/index.html

Link to quick start guide

Add the following lines to local.conf:
INHERIT += "create-spdx"

Classification

Produce/Build

Version Support

2.2

Website