spdx

Open-source projects categorized as spdx
Edit details
Language: + Python + Go + Java + Kotlin + PHP + Rust + Emacs Lisp + Clojure + TypeScript
Topics: sbom cyclonedx purl package-url License
Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured

Top 21 spdx Open-Source Projects

  • syft

    CLI tool and library for generating a Software Bill of Materials from container images and filesystems

    • Project mention: An Overview of Kubernetes Security Projects at KubeCon Europe 2023 | dev.to | 2023-05-22

    Syft is a popular open source CLI tool created by Anchore for generating an SBOM from container images and filesystems. It’s designed to provide a catalog of dependencies for other tools to use as a data source. It supports many popular programming languages, package managers, and container image formats.

  • scancode-toolkit

    :mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!

    • Project mention: ScanCode: Scan license and packages, dependencies and origin information | news.ycombinator.com | 2023-08-11

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • ort

    A suite of tools to automate software compliance checks.

  • tern

    Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. (by tern-tools)

  • fossology

    FOSSology is an open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. License, copyright and export scanners are tools used in the workflow.

  • purl-spec

    A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby

    • Project mention: Purl: A Simple Tool for Text Processing | news.ycombinator.com | 2024-04-12

  • cargo-about

    📜 Cargo plugin to generate list of all licenses for a crate 🦀

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo

  • bomber

    Scans Software Bill of Materials (SBOMs) for security vulnerabilities

  • reuse-tool

    reuse is a tool for compliance with the REUSE recommendations.

    • Project mention: Releasing AGPL3 project: SPDX vs full notice text and other questions | /r/gnu | 2023-06-01

    The SPDX header is due to a project called REUSE, which is spearheaded by the FSF Europe. You can read more about the project here. Basically you just have to add the copyright header in the format

  • chainloop

    Chainloop is an Open Source Metadata Vault for your Software Supply Chain metadata, SBOMs, VEX, SARIF files, QA reports, and more.

    • Project mention: Choosing the “old stuff” as plugin SDK for Go in 2023 | news.ycombinator.com | 2023-07-06

  • bom

    A utility to generate SPDX-compliant Bill of Materials manifests

  • cyclonedx-maven-plugin

    Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

    • Project mention: Krita fund has 0 corporate support | news.ycombinator.com | 2023-10-05

    As others have already commented:

    The US government has added SBOMs to a proposed rule to update the Federal Acquisition Regulation. So if you want to sell to the US Government you'll have to provide SBOMs: https://www.federalregister.gov/documents/2023/10/03/2023-21...

    Lots of large companies require SBOMs from their supplier.

    In the EU we will get the Cyber Resilience Act which will make them mandatory as well in certain cases: https://data.consilium.europa.eu/doc/document/ST-12536-2023-...

    And yes, there's bascially two technical standards to provide them: SPDX and CycloneDX: https://cyclonedx.org/

  • spdx-spec

    The SPDX specification in MarkDown and HTML formats.

  • cyclonedx-gradle-plugin

    Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects

  • SBOM Quality Score

    SBOM quality score - Quality metrics for your sboms

  • scancode.io

    ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!

  • cyclonedx-core-java

    CycloneDX SBOM Model and Utils for Creating and Validating BOMs

    • Project mention: Dependency inventory / dashboard for multiple maven projects | /r/java | 2023-06-08

  • spdx-license-matcher

    A tool to match license text with SPDX license list using a an algorithm with finds close matches. It follows SPDX Matching guidelines to keep the substantial text as well as ignore the replaceable text for matching purposes.

  • spdx.el

    Insert SPDX license header

  • lice-comb

    A Clojure library for software license detection.

  • spdx-dependency-track

    A simple application to crawl your Github repositories, export SBOM's in SPDX format, and ingest these for licensing analysis.

    • Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020).

spdx related posts

  • ScanCode: Scan license and packages, dependencies and origin information

    1 project | news.ycombinator.com | 11 Aug 2023

  • Dependency inventory / dashboard for multiple maven projects

    2 projects | /r/java | 8 Jun 2023

  • Who in your organization is responsible for deciding and implementing AppSec tools? And any recommendations for a reliable alternative for Snyk tools? Thanks!

    1 project | /r/cybersecurity | 8 May 2023

  • SBOM management program?

    1 project | /r/Information_Security | 4 May 2023

  • 12 Things You Might Not Know About Buildpacks

    8 projects | dev.to | 1 Dec 2022

  • How to Automate the Software Bill of Materials (SBOM)

    1 project | dev.to | 17 Nov 2022

  • What is SBOM

    1 project | dev.to | 14 Nov 2022
  • A note from our sponsor - InfluxDB
    www.influxdata.com | 4 May 2024
    Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →

Index

What are some of the best open-source spdx projects? This list will help you:

Project Stars
1 syft 5,477
2 scancode-toolkit 1,973
3 ort 1,478
4 tern 935
5 fossology 750
6 purl-spec 620
7 cargo-about 480
8 bomber 454
9 reuse-tool 345
10 chainloop 306
11 bom 297
12 cyclonedx-maven-plugin 273
13 spdx-spec 268
14 cyclonedx-gradle-plugin 140
15 SBOM Quality Score 132
16 scancode.io 88
17 cyclonedx-core-java 68
18 spdx-license-matcher 25
19 spdx.el 12
20 lice-comb 6
21 spdx-dependency-track 1

Sponsored
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com