The Linux Foundation Projects
Skip to main content

Open Source Tools

This page lists Open Source tools that support SPDX.

Augur

Support

Produce (Analyze)

Functionality

Augur is a tool for consumption of open source software health and Sustainability metrics & data collection. One of the functionalities of a standard Augur implementation is to scan projects to collect license information and create SPDX Documents with the resulting information.

Augur APIs and web UI are available for the creation of SPDX documents. See the primary Augur instance at http://augur.osshealth.io/ for demonstration.

Versions Supported

SPDX 2.1

SBOM Types

Analyze

bom

Support

Produce (Build, Analyze) Consume (View), Transform (Tools Support)

Functionality

bom is the SBOM tool written by the kubernetes community to generate the bill of materials of kubernetes releases. The tool is used by several cloud native projects to generate their SBOMs.

bom can generate sbom through analysis of several sources. Supports output in TAGtag-value format and JSON. It also supports visualization and querying of documents.

Versions Supported

SPDX 2.3

SBOM Types

Source, Build

Cavil

Support

Author after Creation (Audit tool)

Functionality

Cavil is a legal review and Software Bill of Materials (SBOM) system for the Open Build Service. It is used in the development of openSUSE Tumbleweed, openSUSE Leap, as well as SUSE Linux Enterprise.

Versions Supported

SPDX 2.2

CycloneDX CLI

Support

Consume (View), Consume (Diff), Transform (Translate), Transform (Merge)

Functionality

A command line tool incorporating many common utilities including converting between SBOM formats.

Installation Instructions

N/A

Versions Supported

SPDX 2.2

distro2sbom

Support

Produce (Analyze)

Functionality

The DISTRO2SBOM generates a SBOM (Software Bill of Materials) for either an installed application or a complete system installation in a number of formats including SPDX and CycloneDX. An SBOM for an installed package will identify all of its dependent components.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

FOSSLight

Support

Produce (Analyze), Produce (Manual), Consume (View), Consume (Import), Transform (Translate), Transform (Merge)

Functionality

FOSSLight supports organizations to develop and distribute software containing open source software that needs to follow the OSC(Open Source Compliance) process. FOSSLight Hub is an integrated system that can manage license compliance as well as open source vulnerability and monitoring by project.

Versions Supported

SPDX 2.2

FOSSology

Support

Produce (Analyze), Produce (Manual), Consume (View), Consume (Diff), Consume (Analyze), Transform (Translate), Transform (Merge), Transform (Tool Support)

Functionality

FOSSology is an open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from a REST API. 

As a system, a database and web UI are provided to provide a compliance workflow.

As part of the toolkit multiple license scanners, copyright and export scanners are tools available to help with compliance activities.

Installation Instructions

Versions Supported

SPDX 2.1, SPDX 2.2

GitHub Self-Service SBOMs

Support

Produce(Analyze)

Functionality

GitHub provides an Export SBOM function that allows anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SPDX SBOM with a single click. The resulting JSON file saves project dependencies and metadata, like versions and licenses in the industry standard SPDX format, which can then be used with security and compliance workflows and tools, or reviewed in Microsoft Excel (use a JSON-to-CSV converter for compatibility with Google Sheets).

Installation Instructions

N/A – available in every GitHub repo

See: https://github.blog/2023-03-28-introducing-self-service-sboms/

Versions Supported

SPDX 2.3

GUAC (Graph for Understanding Artifact Composition)

Support

Consume (Import), Transform (Tool Support)

Functionality

GUAC aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

Location

Website: https://guac.sh/

Installation Instructions

Versions Supported

SPDX 2.3

in-toto

Support

Produce(Build)

Functionality

Creates attestations to link artifacts together as they move through the chain of custody.

How to Use

contact team – currently WIP

Versions Supported

SPDX 2.3

lib4sbom

Support

Transform (Tool Support)

Functionality

Lib4SBOM is a library to parse and generate Software Bill of Materials (SBOMs). It supports SBOMs created in both SPDX and CycloneDX formats.

It has been developed on the assumption that having a generic abstraction of SBOM regardless of the underlying format will be useful to developers.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

Nix / Nixpkgs

Support

Produce(Build)

Functionality

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Nixpkgs is a collection of over 80,000 software packages with verifiable transitive SBOMs already in existence.

Installation Instructions

References

https://edolstra.github.io/pubs/phd-thesis.pdf

Versions Supported

Can output SPDX and CycloneDX formats, internally uses a format that is far more comprehensive allowing for reproducible and verifiable builds.

ntia-conformance-checker

Support

Consume(Import)

Functionality

This tool determines whether a SPDX SBOM document contains the National Telecommunications and Information Administration (NTIA) “minimum elements”.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

Open Source Software Review Toolkit (ORT)

Support

Produce(Build), Consume(Import), Consume(Diff)

Functionality

Creates SPDX SBOMs from a variety of package managers during builds of products. Support SPDX package/project manifest.

Versions Supported

SPDX 2.2

Parlay

Support

Consume(Analyze), Transform(Translate), Transform(Tool Support)

Functionality

Parlay is a tool to enrich SBOMs with information taken from external services.

Location

Versions Supported

SPDX 2.3

Protobom

Support

Consume(Import), Transform(Translate)

Functionality

A universal SBOM representation in protocol buffers. Translates between SPDX and CycloneDX SBOM formats.

Installation Instructions

How to Use

Versions Supported

SPDX 2.3

REUSE

Support

Produce(Build), Produce(Analyze)

Functionality

The REUSE helper tool assists with achieving and confirming REUSE compliance. It downloads the full license texts, adds copyright and license information to file headers, and contains a linter to identify problems. With it, you can generate a software bill of materials.

How to Use

$ reuse lint spdx

Versions Supported

SPDX 2.1, SPDX 2.2, SPDX 2.3

sbom-manager

Support

Consume (View)

Functionality

The SBOM Manager is a free, open source tool to help manage a collection of SBOMs(Software Bill of Materials) in a number of formats including SPDX and CycloneDX.

The tool has two modes of operation:

1. A repository which maintains the set of components which have been included as part of a release or build of a software product.
2. Tools for quering the inclusion of specific products in a project development to answer some commmon use cases.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbom2doc

Support

Consume (View)

Functionality

SBOM2DOC documents and summarises the components within an SBOM (Software Bill of Materials). SBOMS are supported in a number of formats including SPDX and CycloneDX.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbom2dot

Support

Consume (View)

Functionality

SBOM2DOT generates a dependency graph of the components within an SBOM (Software Bill of Materials). The format of the graph file is compatible with the DOT language used by the GraphViz application. SBOMs are supported in a number of formats including SPDX and CycloneDX.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbom4files

Support

Produce (Build)

Functionality

SBOM4Files generates a SBOM (Software Bill of Materials) for a directory in a number of formats including SPDX and CycloneDX. It identifies all files within a directory and includes license and copyright information, where possible, for each file.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained, typically through the build development phase, and also to support subsequent audit needs to determine if a particular component has been used.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbom4python

Support

Produce (Build)

Functionality

The SBOM4Python is a free, open source tool to generate a SBOM (Software Bill of Materials) for an installed Python module in a number of formats including SPDX and CycloneDX. It identifies all of the dependent components which are explicity defined (typically via requirements.txt file) or implicitly as a hidden dependency.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbom4rust

Support

Produce (Build)

Functionality

SBOM4Rust generates a SBOM (Software Bill of Materials) for Rust application or library in a number of formats including SPDX and CycloneDX. It identifies all the dependent components which are explicity defined in the Cargo.lock file and reports the relationships between the components.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbomaudit

Support

Consume (View)

Functionality

SBOMAUDIT reports on the quality of the contents of an SBOM (Software Bill of Materials) by performing a number of checks. SBOMs are supported in a number of formats including SPDX and CycloneDX.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbomdiff

Support

Consume (Diff)

Functionality

SBOMDiff is a tool to compare two Software Bill of Materials (SBOM) files and reports the differences. It supports SBOMs created in both SPDX and CycloneDX formats.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbommerge

Support

Transform (Merge)

Functionality

SBOMMerge merges two Software Bill of Materials (SBOMs) documents together. It supports SBOMs created in both SPDX and CycloneDX formats.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbomqs

Support

Consume(Import)

Functionality

sbomqs is a tool to assess the quality of SBOMs. The higher the score the more consumable your SBOms are according to the following factors:

  1. Identify & list all components of your product along with their transitive dependencies.
  2. List all your components along with their versions & content checksums.
  3. Include accurate component licenses.
  4. Include accurate lookup identifiers (purls or CVEs)
  5. Quality SBOM depends a lot upon which stage of the lifecycle it has been generated at, we believe closer to the build time is ideal.
  6. Signed sboms.
  7. Should layout information based on industry standard specs like CycloneDX, SPDX and SWID.

How to Use

$sbomqs score <sbom-file>

See: https://github.com/interlynk-io/sbomqs#usage

Versions Supported

SPDX 2.2, SPDX 2.3

sbomtrend

Support

Consume (Diff)

Functionality

SBOMTrend analyses a directory of SBOM (Software Bill of Materials) in either SPDX and CycloneDX formats. It analyses all SBOM files within a directory and identifies license and version changes, for each component.

Installation Instructions

Versions Supported

SPDX 2.2, SPDX 2.3

sbom-tool

Support

Produce(Analyze)

Functionality

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts. The tool uses the Component Detection libraries to detect components and the ClearlyDefined API to populate license information for these components.

How to Use

$ sbom-tool generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -ps <package supplier> -nsb <namespace uri base>

See: https://github.com/microsoft/sbom-tool#sbom-generation

Versions Supported

SPDX 2.2

ScanCode Toolkit

Support

Produce(Analyze)

Functionality

ScanCode detects licenses, copyrights, package manifests and direct dependencies and more both in source code and binary files..

  • As a standalone command line tool, ScanCode is easy to install, run and embed in your CI/CD processing pipeline. It runs on Windows, macOS and Linux.
  • Written in Python, ScanCode is easy to extend with plugins to contribute new and improved scanners, data summarization, package manifest parsers and new outputs.
  • Scan results can be saved as JSON, HTML, CSV or SPDX. 

There is a companion ScanCode workbench GUI app to review and display scan results, statistics and graphics.

How to Use

https://github.com/nexB/scancode-toolkit#quick-start

To generate SPDX documents use option: 

--spdx-rdf FILE (for SPDX RDF document)

--spdx-tv FILE (for SPDX Tag/Value document)

See also: https://scancode-toolkit.readthedocs.io/en/latest/

Versions Supported

SPDX 2.1, SPDX 2.2

SCANOSS

Support

Produce(Analyze), Consume(Import)

Functionality

Software Composition Analysis (SCA)

How to Use

Versions Supported

SPDX 2.2 lite

SPDX Golang Libraries

Support

Consume(Analyze), Transform(Translate), Transform(Tool Support)

Functionality

Tools-golang is a collection of Go packages intended to make it easier for Go programs to work with SPDX files.

Installation Instructions

Versions Supported

SPDX 2.1, SPDX 2.2, SPDX 2.3

SPDX Java Libraries and Tools

Support

Consume(View), Consume(Diff, Consume(Analyze), Transform(Translate), Transform(Merge), Transform(Tool support)

Functionality

Support consuming and producing SPDX documents within a Java language environment.  Includes several useful utilities such as comparison of SPDX documents, license matching, and conversion of formats.

 

Can also be used as a command line utility.  Following are the supported commands:

  • TagToSpreadsheet – Convert a tag format input file to a spreadsheet output file
  • TagToRDF – Convert a tag format input file to an RDF format output file
  • RdfToTag – Convert an RDF format input file to a tag format output file
  • RdfToHtml – Convert an RDF format input file to an HTML web page output file
  • RdfToSpreadsheet – Convert an RDF format input file to a spreadsheet format output file
  • SpreadsheetToRDF – Convert a spreadsheet input file to an RDF format output file
  • SpreadsheetToTag – Convert a spreadsheet input file to a tag format output file
  • SPDXViewer – Display an SPDX document input file (in either tag/value or RDF format)
  • CompareMultipleSpdxDocs – Compare multiple SPDX documents (in either tag/value or RDF formats) and output to a spreadsheet
  • CompareSpdxDocs – Compare two SPDX documents (in either tag/value or RDF format)
  • GenerateVerificationCode – Generate a Verification Code from a directory of files.

Location

Installation Instructions

Tools can be used online at https://tools.spdx.org/app/ or installed as a command line (see https://github.com/spdx/tools-java/blob/master/README.md)

Versions Supported

SPDX 2.0, SPDX 2.1, SPDX 2.2, SPDX 2.3

SPDX JavaScript Libraries

Support

Consume(Analyze), Transform(Translate), Transform(Tool Support)

Functionality

Support consuming and producing SPDX documents within a Node and JavaScript language environment.

The library is currently under development and is semi-stable.

How to Use

The library is currently under development and is semi-stable.  See the README for the current status.

Versions Supported

SPDX 2.1

SPDX Maven Plugin

Support

Produce(Build)

Functionality

Automated production of an SPDX document for a Maven build environment.

Versions Supported

SPDX 2.1, SPDX 2.2, SPDX 2.3

SPDX Online Tools

Support

Consume(View), Consume(Diff), Consume(Import), Transform(Translate, Transform(Tool Support)

Functionality

Online utility with several functions to examine, transform, and edit SPDX documents.

How to Use

See the website

For access to the tools through an online API – see https://github.com/spdx/spdx-online-tools#how-to-use-api

Versions Supported

SPDX 2.1, SPDX 2.2, SPDX 2.3

SPDX Python Libraries

Support

Consume(Analyze), Transform(Translate), Transform(Tool Support)

Functionality

Support consuming and producing SPDX documents within a Python language environment.

Versions Supported

SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2, SPDX 2.3

spdx-sbom-generator

Support

Produce(Analyze)

Functionality

Spdx-sbom-generator is a tool to help those in the community that want to generate SPDX Software Bill of Materials (SBOMs) with current package managers. It has a command line Interface (CLI) that lets you generate SBOM information, including components, licenses, copyrights, and security references of your software using SPDX v2.2 specification and aligning with the current known minimum elements from NTIA.

How to Use

Versions Supported

SPDX 2.2, SPDX 2.3

SW360

Support

Consume(View), Consume(Diff), Consume(Import), Transform(Merge)

Functionality

SW360 is a software component catalogue application – designed to work with FOSSology.

SW360 is a server with a REST interface and a liferay portal application to maintain your projects / products and the software components within.

It can manage SPDX files for checking the license conditions and maintain license information.

In addition to license information, SW360 can import Software BOM files in SPDX format to automatically create records for software components and a product in the database.

Versions Supported

SPDX 2.1, SPDX 2.2, SPDX 2.3

Syft

Support

Produce(Analyze), Transform(Translate)

Functionality

Syft is a content analyzer and SBOM generator for container images and filesystems. Syft supports a large variety of package ecosystems and can provide output in several formats. Syft also includes a first-class Go library that can be leveraged for SBOM capabilities within other projects.

Installation Instructions

How to Use

$ syft <image> -o spdx-tag-value@2.2
$ syft <image> -o spdx-json

Versions Supported

SPDX 2.2, SPDX 2.3

Tern

Support

Produce(Analyze)

Functionality

Tern is a software composition analysis tool and Python library that generates an SBOM for container images and Dockerfiles. Tern also has the ability to integrate and extend the functionality of other inspection tools like Scancode to find file level metadata information.

How to Use

$ tern report -f spdxtagvalue -i <container> -o spdx.txt
$ tern report -f spdxtagvalue -d <Dockerfile> -o spdx.txt

Versions Supported

SPDX 2.2, SPDX 2.3 (WIP)

Yocto Project / OpenEmbedded

Support

Produce(Build)

Functionality

Yocto project through the OpenEmbedded build system supports creation of embedded system distros, including Linux and other RTOSes.  SBOM data is generated using the extensive metadata that Yocto already track about software it is building. This includes license descriptions, build time dependencies, runtime dependencies, and scanning of debug data for source code relationships. The output from the tool is a collection of SPDX json files with a rich set of inter-document references.

Installation Instructions

How to Use

Add the following lines to local.conf:
INHERIT += "create-spdx"

Versions Supported

SPDX 2.2