This page lists Open Source tools that support SPDX.
Augur
| Classification | Produce (Audit tool) |
| Functionality | Augur is a tool for consumption of open source software health and Sustainability metrics & data collection. One of the functionalities of a standard Augur implementation is to scan projects to collect license information and create SPDX Documents with the resulting information.
Augur APIs and web UI are available for the creation of SPDX documents. See the primary Augur instance at http://augur.osshealth.io/ for demonstration. |
| Location | Website: http://www.augurlabs.io/
Source: https://github.com/chaoss/augur/ |
| Installation instructions | https://oss-augur.readthedocs.io/en/master/getting-started/installation.html |
| How to use | https://oss-augur.readthedocs.io/en/master/getting-started/create-a-metric/overview.html |
| Versions supported | SPDX 2.1 |
FOSSology
| Classification | Author after Creation (Audit tool, Manual), Consume(View,Diff,Analyze), Transform(Translate, Merge, Tool Integration) |
| Functionality | FOSSology is an open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from a REST API.
As a system, a database and web UI are provided to provide a compliance workflow. As part of the toolkit multiple license scanners, copyright and export scanners are tools available to help with compliance activities. |
| Location | Website: https://www.fossology.org/
Source: https://github.com/fossology |
| Installation instructions | https://www.fossology.org/get-started/ |
| How to use | https://www.fossology.org/get-started/basic-workflow/ |
| Versions supported | SPDX 2.1, SPDX 2.2 (WIP) |
in-toto
| Classification | Produce(Author during Build) |
| Functionality | Creates attestations to link artifacts together as they move through the chain of custody |
| Location | Website: https://in-toto.io
Source: https://github.com/in-toto/ |
| Installation instructions | See https://in-toto.readthedocs.io/en/latest/installing.html |
| How to use | |
| Versions supported | SPDX 2.2 (WIP) |
kernel-spdx-ids
| Classification | Author after Creation (Audit tool) |
| Functionality | kernel-spdx-ids is a short Golang program that scans a Linux kernel for SPDX short-form identifiers, generating a summary report and optionally an SPDX tag-value document. |
| Location | Source: https://github.com/swinslow/kernel-spdx-ids |
| Installation instructions | https://github.com/swinslow/kernel-spdx-ids |
| How to use | https://github.com/swinslow/kernel-spdx-ids |
| Versions supported | SPDX 2.1 |
Longclaw
| Classification | Create after Build (Audit tool) |
| Functionality | Uses the LLNL ROSE compiler framework to do third-party library identification. Generates valid SPDX documents from analysis of statically linked binaries. Can also verify a vendor supplied SBOM. |
| Location | Website: http://rosecompiler.org/
Source: LLNL internal repository |
| Installation instructions | Planned as a web service |
| How to use | Submit files to Longclaw using the API or the web interface, file will be analyzed and an SBOM generated. |
| Versions supported | SPDX 2.2 (WIP) |
npm-spdx
| Classification | Author after Creation (Audit tool) |
| Functionality | npm-spdx is a short Golang program that takes an NPM package.json file and its corresponding lock file, and queries NPM to obtain declared license metadata.
It generates an SPDX tag-value document with the package licenses and transitive relationships, and optionally generates a JSON summary file as well. |
| Location | Source: https://github.com/swinslow/npm-spdx |
| Installation instructions | https://github.com/swinslow/npm-spdx |
| How to use | https://github.com/swinslow/npm-spdx |
| Versions supported | SPDX 2.1 |
Open Source Software Review Toolkit (ORT)
| Classification | Author during Build, Consume(Analyze, Diff) |
| Functionality | Creates SPDX SBOMs from a variety of package managers during builds of products. Support SPDX package/project manifest |
| Location | Website: http://oss-review-toolkit.org/ |
| Installation instructions | See: https://github.com/oss-review-toolkit/ort#installation |
| How to use | https://github.com/oss-review-toolkit/ort/blob/master/docs/getting-started.md |
| Versions supported | SPDX 2.2 (WIP) |
Quartermaster (QMSTR)
| Classification | Author during Build |
| Functionality | QMSTR integrates into the build systems to learn about the software products, their sources and dependencies. Developers can run QMSTR locally to verify outcomes, review problems, and produce compliance reports. By integrating into DevOps CI/CD cycles, license compliance can become a quality metric for software development. |
| Location | Website: https://qmstr.org
Source: https://github.com/QMSTR/qmstr |
| Installation instructions | See: https://qmstr.org/documentation/introduction/installation/ |
| How to use | https://qmstr.org/documentation/introduction/getting-started/ |
| Versions supported | SPDX 2.1, SPDX 2.2 (WIP) |
REUSE
| Classification | Author during Build, Author after Creation (Audit tool) |
| Functionality | The REUSE helper tool assists with achieving and confirming REUSE compliance. It downloads the full license texts, adds copyright and license information to file headers, and contains a linter to identify problems. With it, you can generate a software bill of materials. |
| Location | Website: https://reuse.software/
Source: https://git.fsfe.org/reuse/tool |
| Installation instructions | https://git.fsfe.org/reuse/tool/src/branch/master/README.md |
| How to use | $ cd path/to/project/
$ reuse lint spdx |
| Versions supported | SPDX 2.1, SPDX 2.2 (WIP) |
SwiftBOM – CERT CC SBOM tool
| Classification | Create after Build (Manual), Transform(Translate), Consume(View) |
| Functionality | Generate valid SPDX document from manual entry of NTIA minimum SBOM or SPDX-Lite fields |
| Location | Website:https://sbom.democert.org/sbom/
Source: https://github.com/CERTCC/SBOM/tree/master/sbom-demo |
| Installation instructions | See: file INSTALL.md in the git repository https://github.com/CERTCC/SBOM/blob/master/INSTALL.md |
| How to use | On the sbom.democert.org site, enter the fields (either minimal NTIA or SPDX-Lite) and any dependencies. You can also import Excel or an SPDX preformatted file. Click on the help icon on top right corner for the Excel template to use for importing. |
| Versions supported | SPDX 2.1, SPDX 2.2 (WIP) |
ScanCode.io
| Company | nexB Inc. |
| Product | ScanCode.io |
| Classification | Produce (Analyze, Edit) |
| Functionality | ScanCode.io is a server to script and automate Software Composition Analysis (SCA) with ScanPipe pipelines (to meet the special requirements of containers, codebases, packages, etc.) and ScanCode Toolkit. You can generate an SPDX 2.3 SBOM from your Project when you have completed your scan. |
| Location | Website: https://github.com/nexB/scancode.io
Information: https://scancodeio.readthedocs.io/en/latest/introduction.html |
| Installation instructions | https://scancodeio.readthedocs.io/en/latest/installation.html |
| How to use | Create a Project, specifying the codebase(s) and pipeline(s) that you want to use. When the scan is completed and you have reviewed the results, use the Share option to generate an SPDX 2.3 SBOM in .json format.
About ScanPipe: https://scancodeio.readthedocs.io/en/latest/scanpipe-concepts.html |
| License | Apache-2.0 |
| Versions supported | SPDX 2.3 |
SCANOSS
| Classification | Consume (Analyze), Author after Creation (Audit Tool) |
| Functionality | Software Composition Analysis (SCA) |
| Location | Website: https://www.scanoss.co.uk/
Source: https://github.com/scanoss |
| Installation instructions | See https://github.com/scanoss/platform/blob/master/DEPLOYMENT.md |
| How to use | |
| Versions supported |
SPARTS
| Classification | Consume (View, Analyze) |
| Functionality | A Blockchain ledger to determine the chain of custody of all the software parts from which a product (e.g., IoT device) is composed of. The ledger provides both access to and accountability for software meta information of software parts exchanged among manufacturing supply chain participants. |
| Location | Website: https://github.com/hyperledger-labs/SParts |
| Installation instructions | https://sparts.readthedocs.io |
| How to use | https://sparts.readthedocs.io |
| Versions supported | SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2 (WIP) |
SW360
| Classification | Consume(View, Diff, Analyze), Transform(Merge) |
| Functionality | SW360 is a software component catalogue application – designed to work with FOSSology.
SW360 is a server with a REST interface and a liferay portal application to maintain your projects / products and the software components within. It can manage SPDX files for checking the license conditions and maintain license information. In addition to license information, SW360 can import Software BOM files in SPDX format to automatically create records for software components and a product in the database. |
| Location | Website: https://www.eclipse.org/sw360/
Source: https://github.com/eclipse/sw360 |
| Installation instructions | https://github.com/eclipse/sw360/wiki#deploying-sw360 |
| How to use | https://github.com/sw360/sw360slides |
| Versions supported | SPDX 2.1, SPDX 2.2 (WIP) |
TERN
| Classification | Author after Creation (Audit tool) |
| Functionality | Tern is an inspection tool to find the metadata of the packages installed in a container image. Tern also has the ability to integrate and extend the functionality of other inspection tools like Scancode to find file level metadata information. |
| Location | Website (coming soon): tern.dev |
| Installation instructions | See:https://github.com/tern-tools/tern#getting-started |
| How to use | $ tern report -f spdxtagvalue -i <container> -o spdx.txt
$ tern report -f spdxtagvalue -d <Dockerfile> -o spdx.txt |
| Versions supported | SPDX 2.1, SPDX 2.2 (WIP) |
Yocto Project / OpenEmbedded
| Classification | Author during Build |
| Functionality | Yocto project through the OpenEmbedded build system supports creation of embedded system distros, including Linux and other RTOSes. By combining build debug information with source code licensing, a precise understanding of the relevant licensing for a binary can be created during builds. |
| Location | Website: https://www.yoctoproject.org/
Source: https://git.yoctoproject.org/cgit/cgit.cgi/meta-spdxscanner/ |
| Installation instructions | See: https://git.yoctoproject.org/cgit/cgit.cgi/meta-spdxscanner/tree/README.md |
| How to use | See README in installation instructions.
Questions can go to: https://lists.yoctoproject.org/g/licensing |
| Versions supported | SPDX 2.1, SPDX 2.2 (WIP) |