Open Source Tools
Augur
Support
Produce (Analyze)
Functionality
Augur is a tool for consumption of open source software health and Sustainability metrics & data collection. One of the functionalities of a standard Augur implementation is to scan projects to collect license information and create SPDX Documents with the resulting information.
Augur APIs and web UI are available for the creation of SPDX documents. See the primary Augur instance at http://augur.osshealth.io/ for demonstration.
Location
Website: http://www.augurlabs.io/
Source: https://github.com/chaoss/augur/
Installation Instructions
Versions Supported
SPDX 2.1
SBOM Types
Analyze
bom
Support
Produce (Build, Analyze) Consume (View), Transform (Tools Support)
Functionality
bom is the SBOM tool written by the kubernetes community to generate the bill of materials of kubernetes releases. The tool is used by several cloud native projects to generate their SBOMs.
bom can generate sbom through analysis of several sources. Supports output in TAGtag-value format and JSON. It also supports visualization and querying of documents.
Location
Installation Instructions
Versions Supported
SPDX 2.3
SBOM Types
Source, Build
Cavil
Support
Author after Creation (Audit tool)
Functionality
Cavil is a legal review and Software Bill of Materials (SBOM) system for the Open Build Service. It is used in the development of openSUSE Tumbleweed, openSUSE Leap, as well as SUSE Linux Enterprise.
Location
Installation Instructions
Versions Supported
SPDX 2.2
CycloneDX CLI
Support
Consume (View), Consume (Diff), Transform (Translate), Transform (Merge)
Functionality
A command line tool incorporating many common utilities including converting between SBOM formats.
Location
Installation Instructions
N/A
How to Use
Versions Supported
SPDX 2.2
distro2sbom
Support
Produce (Analyze)
Functionality
The DISTRO2SBOM generates a SBOM (Software Bill of Materials) for either an installed application or a complete system installation in a number of formats including SPDX and CycloneDX. An SBOM for an installed package will identify all of its dependent components.
It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
FOSSLight
Support
Produce (Analyze), Produce (Manual), Consume (View), Consume (Import), Transform (Translate), Transform (Merge)
Functionality
FOSSLight supports organizations to develop and distribute software containing open source software that needs to follow the OSC(Open Source Compliance) process. FOSSLight Hub is an integrated system that can manage license compliance as well as open source vulnerability and monitoring by project.
Location
Website: https://fosslight.org/
Installation Instructions
Versions Supported
SPDX 2.2
FOSSology
Support
Produce (Analyze), Produce (Manual), Consume (View), Consume (Diff), Consume (Analyze), Transform (Translate), Transform (Merge), Transform (Tool Support)
Functionality
FOSSology is an open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from a REST API.
As a system, a database and web UI are provided to provide a compliance workflow.
As part of the toolkit multiple license scanners, copyright and export scanners are tools available to help with compliance activities.
Location
Website: https://www.fossology.org/
Source: https://github.com/fossology
Installation Instructions
Versions Supported
SPDX 2.1, SPDX 2.2
GitHub Self-Service SBOMs
Support
Produce(Analyze)
Functionality
GitHub provides an Export SBOM function that allows anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SPDX SBOM with a single click. The resulting JSON file saves project dependencies and metadata, like versions and licenses in the industry standard SPDX format, which can then be used with security and compliance workflows and tools, or reviewed in Microsoft Excel (use a JSON-to-CSV converter for compatibility with Google Sheets).
Location
Website: https://www.fossology.org/
Source: https://github.com/fossology
Installation Instructions
N/A – available in every GitHub repo
See: https://github.blog/2023-03-28-introducing-self-service-sboms/
Versions Supported
SPDX 2.3
GUAC (Graph for Understanding Artifact Composition)
Support
Consume (Import), Transform (Tool Support)
Functionality
GUAC aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.
Location
Website: https://guac.sh/
Installation Instructions
How to Use
Versions Supported
SPDX 2.3
in-toto
Support
Produce(Build)
Functionality
Creates attestations to link artifacts together as they move through the chain of custody.
Location
Website: https://in-toto.io
Source: https://github.com/in-toto/
Installation Instructions
How to Use
contact team – currently WIP
Versions Supported
SPDX 2.3
lib4sbom
Support
Transform (Tool Support)
Functionality
Lib4SBOM is a library to parse and generate Software Bill of Materials (SBOMs). It supports SBOMs created in both SPDX and CycloneDX formats.
It has been developed on the assumption that having a generic abstraction of SBOM regardless of the underlying format will be useful to developers.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
Nix / Nixpkgs
Support
Produce(Build)
Functionality
Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Nixpkgs is a collection of over 80,000 software packages with verifiable transitive SBOMs already in existence.
Location
Website: https://nixos.org
Source: https://github.com/NixOS/nix and https://github.com/NixOS/nixpkgs
Installation Instructions
References
https://edolstra.github.io/pubs/phd-thesis.pdf
Versions Supported
Can output SPDX and CycloneDX formats, internally uses a format that is far more comprehensive allowing for reproducible and verifiable builds.
ntia-conformance-checker
Support
Consume(Import)
Functionality
This tool determines whether a SPDX SBOM document contains the National Telecommunications and Information Administration (NTIA) “minimum elements”.
Location
Installation Instructions
Versions Supported
SPDX 2.2, SPDX 2.3
Open Source Software Review Toolkit (ORT)
Support
Produce(Build), Consume(Import), Consume(Diff)
Functionality
Creates SPDX SBOMs from a variety of package managers during builds of products. Support SPDX package/project manifest.
Location
Website: http://oss-review-toolkit.org/
Installation Instructions
Versions Supported
SPDX 2.2
Parlay
Support
Consume(Analyze), Transform(Translate), Transform(Tool Support)
Functionality
Parlay is a tool to enrich SBOMs with information taken from external services.
Location
Website: https://github.com/snyk/parlay
Installation Instructions
Versions Supported
SPDX 2.3
Protobom
Support
Consume(Import), Transform(Translate)
Functionality
A universal SBOM representation in protocol buffers. Translates between SPDX and CycloneDX SBOM formats.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.3
REUSE
Support
Produce(Build), Produce(Analyze)
Functionality
The REUSE helper tool assists with achieving and confirming REUSE compliance. It downloads the full license texts, adds copyright and license information to file headers, and contains a linter to identify problems. With it, you can generate a software bill of materials.
Location
Website: https://reuse.software/
Source: https://git.fsfe.org/reuse/tool
Installation Instructions
How to Use
$ reuse lint spdx
Versions Supported
SPDX 2.1, SPDX 2.2, SPDX 2.3
sbom-manager
Support
Consume (View)
Functionality
The SBOM Manager is a free, open source tool to help manage a collection of SBOMs(Software Bill of Materials) in a number of formats including SPDX and CycloneDX.
The tool has two modes of operation:
1. A repository which maintains the set of components which have been included as part of a release or build of a software product.
2. Tools for quering the inclusion of specific products in a project development to answer some commmon use cases.
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbom2doc
Support
Consume (View)
Functionality
SBOM2DOC documents and summarises the components within an SBOM (Software Bill of Materials). SBOMS are supported in a number of formats including SPDX and CycloneDX.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbom2dot
Support
Consume (View)
Functionality
SBOM2DOT generates a dependency graph of the components within an SBOM (Software Bill of Materials). The format of the graph file is compatible with the DOT language used by the GraphViz application. SBOMs are supported in a number of formats including SPDX and CycloneDX.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbom4files
Support
Produce (Build)
Functionality
SBOM4Files generates a SBOM (Software Bill of Materials) for a directory in a number of formats including SPDX and CycloneDX. It identifies all files within a directory and includes license and copyright information, where possible, for each file.
It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained, typically through the build development phase, and also to support subsequent audit needs to determine if a particular component has been used.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbom4python
Support
Produce (Build)
Functionality
The SBOM4Python is a free, open source tool to generate a SBOM (Software Bill of Materials) for an installed Python module in a number of formats including SPDX and CycloneDX. It identifies all of the dependent components which are explicity defined (typically via requirements.txt file) or implicitly as a hidden dependency.
It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbom4rust
Support
Produce (Build)
Functionality
SBOM4Rust generates a SBOM (Software Bill of Materials) for Rust application or library in a number of formats including SPDX and CycloneDX. It identifies all the dependent components which are explicity defined in the Cargo.lock file and reports the relationships between the components.
It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbomaudit
Support
Consume (View)
Functionality
SBOMAUDIT reports on the quality of the contents of an SBOM (Software Bill of Materials) by performing a number of checks. SBOMs are supported in a number of formats including SPDX and CycloneDX.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbomdiff
Support
Consume (Diff)
Functionality
SBOMDiff is a tool to compare two Software Bill of Materials (SBOM) files and reports the differences. It supports SBOMs created in both SPDX and CycloneDX formats.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbommerge
Support
Transform (Merge)
Functionality
SBOMMerge merges two Software Bill of Materials (SBOMs) documents together. It supports SBOMs created in both SPDX and CycloneDX formats.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbomqs
Support
Consume(Import)
Functionality
sbomqs is a tool to assess the quality of SBOMs. The higher the score the more consumable your SBOms are according to the following factors:
- Identify & list all components of your product along with their transitive dependencies.
- List all your components along with their versions & content checksums.
- Include accurate component licenses.
- Include accurate lookup identifiers (purls or CVEs)
- Quality SBOM depends a lot upon which stage of the lifecycle it has been generated at, we believe closer to the build time is ideal.
- Signed sboms.
- Should layout information based on industry standard specs like CycloneDX, SPDX and SWID.
Location
Installation Instructions
How to Use
$sbomqs score <sbom-file>
Versions Supported
SPDX 2.2, SPDX 2.3
sbomtrend
Support
Consume (Diff)
Functionality
SBOMTrend analyses a directory of SBOM (Software Bill of Materials) in either SPDX and CycloneDX formats. It analyses all SBOM files within a directory and identifies license and version changes, for each component.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.2, SPDX 2.3
sbom-tool
Support
Produce(Analyze)
Functionality
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts. The tool uses the Component Detection libraries to detect components and the ClearlyDefined API to populate license information for these components.
Location
Installation Instructions
How to Use
$ sbom-tool generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -ps <package supplier> -nsb <namespace uri base>
Versions Supported
SPDX 2.2
ScanCode Toolkit
Support
Produce(Analyze)
Functionality
ScanCode detects licenses, copyrights, package manifests and direct dependencies and more both in source code and binary files..
- As a standalone command line tool, ScanCode is easy to install, run and embed in your CI/CD processing pipeline. It runs on Windows, macOS and Linux.
- Written in Python, ScanCode is easy to extend with plugins to contribute new and improved scanners, data summarization, package manifest parsers and new outputs.
- Scan results can be saved as JSON, HTML, CSV or SPDX.
There is a companion ScanCode workbench GUI app to review and display scan results, statistics and graphics.
Location
Installation Instructions
How to Use
https://github.com/nexB/scancode-toolkit#quick-start
To generate SPDX documents use option:
--spdx-rdf FILE (for SPDX RDF document)
--spdx-tv FILE (for SPDX Tag/Value document)
See also: https://scancode-toolkit.readthedocs.io/en/latest/
Versions Supported
SPDX 2.1, SPDX 2.2
SCANOSS
Support
Produce(Analyze), Consume(Import)
Functionality
Software Composition Analysis (SCA)
Location
Website: https://www.scanoss.co.uk/
Source: https://github.com/scanoss
Installation Instructions
How to Use
Versions Supported
SPDX 2.2 lite
SPDX Golang Libraries
Support
Consume(Analyze), Transform(Translate), Transform(Tool Support)
Functionality
Tools-golang is a collection of Go packages intended to make it easier for Go programs to work with SPDX files.
Location
Website: https://github.com/spdx/tools-golang
Installation Instructions
How to Use
Versions Supported
SPDX 2.1, SPDX 2.2, SPDX 2.3
SPDX Java Libraries and Tools
Support
Consume(View), Consume(Diff, Consume(Analyze), Transform(Translate), Transform(Merge), Transform(Tool support)
Functionality
Support consuming and producing SPDX documents within a Java language environment. Includes several useful utilities such as comparison of SPDX documents, license matching, and conversion of formats.
Can also be used as a command line utility. Following are the supported commands:
- TagToSpreadsheet – Convert a tag format input file to a spreadsheet output file
- TagToRDF – Convert a tag format input file to an RDF format output file
- RdfToTag – Convert an RDF format input file to a tag format output file
- RdfToHtml – Convert an RDF format input file to an HTML web page output file
- RdfToSpreadsheet – Convert an RDF format input file to a spreadsheet format output file
- SpreadsheetToRDF – Convert a spreadsheet input file to an RDF format output file
- SpreadsheetToTag – Convert a spreadsheet input file to a tag format output file
- SPDXViewer – Display an SPDX document input file (in either tag/value or RDF format)
- CompareMultipleSpdxDocs – Compare multiple SPDX documents (in either tag/value or RDF formats) and output to a spreadsheet
- CompareSpdxDocs – Compare two SPDX documents (in either tag/value or RDF format)
- GenerateVerificationCode – Generate a Verification Code from a directory of files.
Location
Website: https://github.com/spdx/tools-java
Installation Instructions
Tools can be used online at https://tools.spdx.org/app/ or installed as a command line (see https://github.com/spdx/tools-java/blob/master/README.md)
How to Use
Versions Supported
SPDX 2.0, SPDX 2.1, SPDX 2.2, SPDX 2.3
SPDX JavaScript Libraries
Support
Consume(Analyze), Transform(Translate), Transform(Tool Support)
Functionality
Support consuming and producing SPDX documents within a Node and JavaScript language environment.
The library is currently under development and is semi-stable.
Location
Installation Instructions
How to Use
The library is currently under development and is semi-stable. See the README for the current status.
Versions Supported
SPDX 2.1
SPDX Maven Plugin
Support
Produce(Build)
Functionality
Automated production of an SPDX document for a Maven build environment.
Location
Installation Instructions
How to Use
Versions Supported
SPDX 2.1, SPDX 2.2, SPDX 2.3
SPDX Online Tools
Support
Consume(View), Consume(Diff), Consume(Import), Transform(Translate, Transform(Tool Support)
Functionality
Online utility with several functions to examine, transform, and edit SPDX documents.
Location
Website: https://tools.spdx.org/app/
Installation Instructions
How to Use
See the website
For access to the tools through an online API – see https://github.com/spdx/spdx-online-tools#how-to-use-api
Versions Supported
SPDX 2.1, SPDX 2.2, SPDX 2.3
SPDX Python Libraries
Support
Consume(Analyze), Transform(Translate), Transform(Tool Support)
Functionality
Support consuming and producing SPDX documents within a Python language environment.
Location
Website: https://github.com/spdx/tools-python
Installation Instructions
How to Use
Versions Supported
SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2, SPDX 2.3
spdx-sbom-generator
Support
Produce(Analyze)
Functionality
Spdx-sbom-generator is a tool to help those in the community that want to generate SPDX Software Bill of Materials (SBOMs) with current package managers. It has a command line Interface (CLI) that lets you generate SBOM information, including components, licenses, copyrights, and security references of your software using SPDX v2.2 specification and aligning with the current known minimum elements from NTIA.
Location
Source + Website: https://github.com/opensbom-generator/spdx-sbom-generator
Installation Instructions
How to Use
See https://github.com/opensbom-generator/spdx-sbom-generator#command-options
$ ./spdx-sbom-generator -o /out/spdx/
Versions Supported
SPDX 2.2, SPDX 2.3
SW360
Support
Consume(View), Consume(Diff), Consume(Import), Transform(Merge)
Functionality
SW360 is a software component catalogue application – designed to work with FOSSology.
SW360 is a server with a REST interface and a liferay portal application to maintain your projects / products and the software components within.
It can manage SPDX files for checking the license conditions and maintain license information.
In addition to license information, SW360 can import Software BOM files in SPDX format to automatically create records for software components and a product in the database.
Location
Website: https://www.eclipse.org/sw360/
Source: https://github.com/eclipse/sw360
Installation Instructions
How to Use
Versions Supported
SPDX 2.1, SPDX 2.2, SPDX 2.3
Syft
Support
Produce(Analyze), Transform(Translate)
Functionality
Syft is a content analyzer and SBOM generator for container images and filesystems. Syft supports a large variety of package ecosystems and can provide output in several formats. Syft also includes a first-class Go library that can be leveraged for SBOM capabilities within other projects.
Location
Website: https://github.com/anchore/syft#readme
Source: https://github.com/anchore/syft
Installation Instructions
How to Use
$ syft <image> -o spdx-tag-value@2.2
$ syft <image> -o spdx-json
Versions Supported
SPDX 2.2, SPDX 2.3
Tern
Support
Produce(Analyze)
Functionality
Tern is a software composition analysis tool and Python library that generates an SBOM for container images and Dockerfiles. Tern also has the ability to integrate and extend the functionality of other inspection tools like Scancode to find file level metadata information.
Location
Installation Instructions
How to Use
$ tern report -f spdxtagvalue -i <container> -o spdx.txt
$ tern report -f spdxtagvalue -d <Dockerfile> -o spdx.txt
Versions Supported
SPDX 2.2, SPDX 2.3 (WIP)
Yocto Project / OpenEmbedded
Support
Produce(Build)
Functionality
Yocto project through the OpenEmbedded build system supports creation of embedded system distros, including Linux and other RTOSes. SBOM data is generated using the extensive metadata that Yocto already track about software it is building. This includes license descriptions, build time dependencies, runtime dependencies, and scanning of debug data for source code relationships. The output from the tool is a collection of SPDX json files with a rich set of inter-document references.
Installation Instructions
How to Use
Add the following lines to local.conf:
INHERIT += "create-spdx"
Versions Supported
SPDX 2.2
