Open Source Tools

This page lists Open Source tools that support SPDX. 

Augur

Classification Produce (Audit tool)
Functionality Augur is a tool for consumption of open source software health and Sustainability metrics & data collection. One of the functionalities of a standard Augur implementation is to scan projects to collect license information and create SPDX Documents with the resulting information.

Augur APIs and web UI are available for the creation of SPDX documents.

See the primary Augur instance at http://augur.osshealth.io/ for demonstration.

Location Website: http://www.augurlabs.io/

Source: https://github.com/chaoss/augur/

Installation instructions https://oss-augur.readthedocs.io/en/master/getting-started/installation.html
How to use https://oss-augur.readthedocs.io/en/master/getting-started/create-a-metric/overview.html
Versions supported SPDX 2.1

 FOSSology

Classification Author after Creation (Audit tool, Manual), Consume(View,Diff,Analyze), Transform(Translate, Merge, Tool Integration)
Functionality FOSSology is an open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from a REST API.

As a system, a database and web UI are provided to provide a compliance workflow.

As part of the toolkit multiple license scanners, copyright and export scanners are tools available to help with compliance activities.

Location Website: https://www.fossology.org/

Source: https://github.com/fossology

Installation instructions https://www.fossology.org/get-started/
How to use https://www.fossology.org/get-started/basic-workflow/
Versions supported SPDX 2.1, SPDX 2.2 (WIP)

in-toto

Classification Produce(Author during Build)
Functionality Creates attestations to link artifacts together as they move through the chain of custody
Location Website: https://in-toto.io

Source: https://github.com/in-toto/

Installation instructions See https://in-toto.readthedocs.io/en/latest/installing.html
How to use
Versions supported SPDX 2.2 (WIP)

kernel-spdx-ids

Classification Author after Creation (Audit tool)
Functionality kernel-spdx-ids is a short Golang program that scans a Linux kernel for SPDX short-form identifiers, generating a summary report and optionally an SPDX tag-value document.
Location Source: https://github.com/swinslow/kernel-spdx-ids
Installation instructions https://github.com/swinslow/kernel-spdx-ids
How to use https://github.com/swinslow/kernel-spdx-ids
Versions supported SPDX 2.1

Longclaw

Classification Create after Build (Audit tool)
Functionality Uses the LLNL ROSE compiler framework to do third-party library identification.  Generates valid SPDX documents from analysis of statically linked binaries.  Can also verify a vendor supplied SBOM.
Location Website: http://rosecompiler.org/

Source: LLNL internal repository

Installation instructions Planned as a web service
How to use Submit files to Longclaw using the API or the web interface, file will be analyzed and an SBOM generated.
Versions supported SPDX 2.2 (WIP)

npm-spdx

Classification Author after Creation (Audit tool)
Functionality npm-spdx is a short Golang program that takes an NPM package.json file and its corresponding lock file, and queries NPM to obtain declared license metadata.

It generates an SPDX tag-value document with the package licenses and transitive relationships, and optionally generates a JSON summary file as well.

Location Source: https://github.com/swinslow/npm-spdx
Installation instructions https://github.com/swinslow/npm-spdx
How to use https://github.com/swinslow/npm-spdx
Versions supported SPDX 2.1

Open Source Software Review Toolkit (ORT)

Classification Author during Build, Consume(Analyze, Diff)
Functionality Creates SPDX SBOMs from a variety of package managers during builds of products. Support SPDX package/project manifest
Location Website: http://oss-review-toolkit.org/

Source: https://github.com/oss-review-toolkit/ort

Installation instructions See: https://github.com/oss-review-toolkit/ort#installation
How to use https://github.com/oss-review-toolkit/ort/blob/master/docs/getting-started.md
Versions supported SPDX 2.2 (WIP)

OWASP Dependency-Track

Classification Author after Creation (Audit tool), Consume(Analyze)
Functionality Component analysis platform (similar to SCA but leverages SBOMs exclusively and is not limited to software components)
Location Website:https://dependencytrack.org/

Source:https://github.com/DependencyTrack/dependency-track

Installation instructions
  1. docker pull owasp/dependency-track
  2. docker volume create –name dependency-track
  3. docker run -d -m 8192m -p 8080:8080 –name dependency-track -v dependency-track:/data owasp/dependency-track
How to use Publish SBOM for analysis. View results. Optionally ingested SBOMs can be delivered via webhooks to any destination, or extracted to represent component inventory at any point in time.

See: https://docs.dependencytrack.org/usage/cicd/ which has examples on how to publish. Once published, the BOM model is automatically normalized and you can use the UI or APIs as normal. For example https://docs.dependencytrack.org/usage/supply-chain-component-analysis/

Or to optionally mature enough to leverage Continuous Transparency, you can create a ‘BOM_PROCESSED’ notification for a given project and have the BOM delivered to one or more URLs (suppliers, partners, other BUs, etc) by following instructions here: https://docs.dependencytrack.org/integrations/notifications/.

Note that the best practices state to use SPDX v2.2 https://docs.dependencytrack.org/best-practices/

Versions supported SPDX 2.1, SPDX 2.2

Quartermaster (QMSTR)

Classification Author during Build
Functionality QMSTR integrates into the build systems to learn about the software products, their sources and dependencies. Developers can run QMSTR locally to verify outcomes, review problems, and produce compliance reports. By integrating into DevOps CI/CD cycles, license compliance can become a quality metric for software development.
Location Website: https://qmstr.org

Source: https://github.com/QMSTR/qmstr

Installation instructions See: https://qmstr.org/documentation/introduction/installation/
How to use https://qmstr.org/documentation/introduction/getting-started/
Versions supported SPDX 2.1, SPDX 2.2 (WIP)

REUSE

Classification Author during Build, Author after Creation (Audit tool)
Functionality The REUSE helper tool assists with achieving and confirming REUSE compliance. It downloads the full license texts, adds copyright and license information to file headers, and contains a linter to identify problems. With it, you can generate a software bill of materials.
Location Website: https://reuse.software/

Source: https://git.fsfe.org/reuse/tool

Installation instructions https://git.fsfe.org/reuse/tool/src/branch/master/README.md

https://reuse.software/tutorial/

How to use $ cd path/to/project/

$ reuse lint spdx

Versions supported SPDX 2.1, SPDX 2.2 (WIP)

SwiftBOM – CERT CC SBOM tool

Classification Create after Build (Manual), Transform(Translate), Consume(View)
Functionality Generate valid SPDX document from manual entry of NTIA minimum SBOM or SPDX-Lite fields
Location Website:https://sbom.democert.org/sbom/

Source: https://github.com/CERTCC/SBOM/tree/master/sbom-demo

Installation instructions See: file INSTALL.md in the git repository https://github.com/CERTCC/SBOM/blob/master/INSTALL.md
 How to use  On the sbom.democert.org site, enter the fields (either minimal NTIA or SPDX-Lite) and any dependencies.  You can also import Excel or an SPDX preformatted file.  Click on the help icon on top right corner for the Excel template to use for importing.
Versions supported SPDX 2.1,  SPDX 2.2 (WIP)

ScanCode Toolkit

Classification Author after Creation (Audit tool)
Functionality ScanCode detects licenses, copyrights, package manifests and direct dependencies and more both in source code and binary files..

As a standalone command line tool, ScanCode is easy to install, run and embed in your CI/CD processing pipeline. It runs on Windows, macOS and Linux.

Written in Python, ScanCode is easy to extend with plugins to contribute new and improved scanners, data summarization, package manifest parsers and new outputs.

Scan results can be saved as JSON, HTML, CSV or SPDX.

There is a companion ScanCode workbench GUI app to review and display scan results, statistics and graphics.

Location Website: https://github.com/nexB/scancode-toolkit
Installation instructions https://github.com/nexB/scancode-toolkit#installation
How to use https://github.com/nexB/scancode-toolkit#quick-start

To generate SPDX documents use option:

–spdx-rdf FILE (for SPDX RDF document)

–spdx-tv FILE (for SPDX Tag/Value document)

Versions supported SPDX 2.1, SPDX 2.2 (WIP)

SCANOSS

Classification Consume (Analyze), Author after Creation (Audit Tool)
Functionality Software Composition Analysis (SCA)
Location Website: https://www.scanoss.co.uk/

Source: https://github.com/scanoss

Installation instructions See https://github.com/scanoss/platform/blob/master/DEPLOYMENT.md
How to use
Versions supported

SPARTS

Classification Consume (View, Analyze)
Functionality A Blockchain ledger to determine the chain of custody of all the software parts from which a product (e.g., IoT device) is composed of. The ledger provides both access to and accountability for software meta information of software parts exchanged among manufacturing supply chain participants.
Location Website: https://github.com/hyperledger-labs/SParts

Source: https://github.com/hyperledger-labs/SParts

Installation instructions https://sparts.readthedocs.io
How to use https://sparts.readthedocs.io
Versions supported SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2 (WIP)

SW360

Classification Consume(View, Diff, Analyze), Transform(Merge)
Functionality SW360 is a software component catalogue application – designed to work with FOSSology.

 

SW360 is a server with a REST interface and a liferay portal application to maintain your projects / products and the software components within.

It can manage SPDX files for checking the license conditions and maintain license information.

In addition to license information, SW360 can import Software BOM files in SPDX format to automatically create records for software components and a product in the database.

Location Website: https://www.eclipse.org/sw360/

Source: https://github.com/eclipse/sw360

Installation instructions https://github.com/eclipse/sw360/wiki#deploying-sw360
How to use https://github.com/sw360/sw360slides
Versions supported SPDX 2.1, SPDX 2.2 (WIP)

TERN

Classification Author after Creation (Audit tool)
Functionality Tern is an inspection tool to find the metadata of the packages installed in a container image. Tern also has the ability to integrate and extend the functionality of other inspection tools like Scancode to find file level metadata information.
Location Website (coming soon): tern.dev

Source:https://github.com/tern-tools/tern

Installation instructions See:https://github.com/tern-tools/tern#getting-started
How to use $ tern report -f spdxtagvalue -i <container> -o spdx.txt

$ tern report -f spdxtagvalue -d <Dockerfile> -o spdx.txt

Versions supported SPDX 2.1, SPDX 2.2 (WIP)

Yocto Project / OpenEmbedded

Classification Author during Build
Functionality Yocto project through the OpenEmbedded build system supports creation of embedded system distros, including Linux and other RTOSes.   By combining build debug information with source code licensing, a precise understanding of the relevant licensing for a binary can be created during builds.
Location Website: https://www.yoctoproject.org/

Source: https://git.yoctoproject.org/cgit/cgit.cgi/meta-spdxscanner/

Installation instructions See: https://git.yoctoproject.org/cgit/cgit.cgi/meta-spdxscanner/tree/README.md
How to use See README in installation instructions.

Questions can go to: https://lists.yoctoproject.org/g/licensing

Versions supported SPDX 2.1, SPDX 2.2 (WIP)