spdx-spec
The SPDX specification in MarkDown and HTML formats. (by spdx)
tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. (by tern-tools)
Our great sponsors
| spdx-spec | tern | |
|---|---|---|
| 4 | 1 | |
| 268 | 932 | |
| 5.2% | 0.5% | |
| 4.7 | 3.2 | |
| 3 days ago | about 2 months ago | |
| Python | Python | |
| GNU General Public License v3.0 or later | BSD 2-clause "Simplified" License |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
spdx-spec
Posts with mentions or reviews of spdx-spec.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-09-10.
-
What is SBOM
Software package data exchange - SPDX - open source, prepared as machine-readable format, originated in Linux and curated by Linux Foundation
-
How-to choose a FOSS license and implement it
Normative info is on https://spdx.github.io/spdx-spec/ HTH, William
-
SPDX Becomes Internationally Recognized Standard for Software Bill of Materials - Linux Foundation
Although I have to say charging 200CHF for a document licensed under the Creative Commons is ballsy.
tern
Posts with mentions or reviews of tern.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2021-06-30.
-
Learn by reading code: Python standard library design decisions explained
A project you may want to look into adding is Tern [0]. I've had a good time reading through the code over the past couple of weeks, and have found it to be at least not "bad" code, and pretty easy to understand.
Specifically how they are untarring each container layer and creating a chroot jail to run commands inside is fairly self-contained and interesting.
[0] https://github.com/tern-tools/tern
What are some alternatives?
When comparing spdx-spec and tern you can also consider the following projects:
syft - CLI tool and library for generating a Software Bill of Materials from container images and filesystems
ort - A suite of tools to automate software compliance checks.