Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 21 spdx Open-Source Projects
-
syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
-
scancode-toolkit
:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. (by tern-tools)
-
fossology
FOSSology is an open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. License, copyright and export scanners are tools used in the workflow.
-
purl-spec
A minimal specification for purl aka. a package "mostly universal" URL, join the discussion at https://gitter.im/package-url/Lobby
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
chainloop
Chainloop is an Open Source Metadata Vault for your Software Supply Chain metadata, SBOMs, VEX, SARIF files, QA reports, and more.
-
scancode.io
ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!
-
spdx-license-matcher
A tool to match license text with SPDX license list using a an algorithm with finds close matches. It follows SPDX Matching guidelines to keep the substantial text as well as ignore the replaceable text for matching purposes.
-
spdx-dependency-track
A simple application to crawl your Github repositories, export SBOM's in SPDX format, and ingest these for licensing analysis.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Project mention: An Overview of Kubernetes Security Projects at KubeCon Europe 2023 | dev.to | 2023-05-22Syft is a popular open source CLI tool created by Anchore for generating an SBOM from container images and filesystems. It’s designed to provide a catalog of dependencies for other tools to use as a data source. It supports many popular programming languages, package managers, and container image formats.
Project mention: ScanCode: Scan license and packages, dependencies and origin information | news.ycombinator.com | 2023-08-11
Project mention: Releasing AGPL3 project: SPDX vs full notice text and other questions | /r/gnu | 2023-06-01The SPDX header is due to a project called REUSE, which is spearheaded by the FSF Europe. You can read more about the project here. Basically you just have to add the copyright header in the format
Project mention: Choosing the “old stuff” as plugin SDK for Go in 2023 | news.ycombinator.com | 2023-07-06
As others have already commented:
The US government has added SBOMs to a proposed rule to update the Federal Acquisition Regulation. So if you want to sell to the US Government you'll have to provide SBOMs: https://www.federalregister.gov/documents/2023/10/03/2023-21...
Lots of large companies require SBOMs from their supplier.
In the EU we will get the Cyber Resilience Act which will make them mandatory as well in certain cases: https://data.consilium.europa.eu/doc/document/ST-12536-2023-...
And yes, there's bascially two technical standards to provide them: SPDX and CycloneDX: https://cyclonedx.org/
Project mention: Dependency inventory / dashboard for multiple maven projects | /r/java | 2023-06-08
Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21
spdx related posts
-
ScanCode: Scan license and packages, dependencies and origin information
-
Dependency inventory / dashboard for multiple maven projects
-
Who in your organization is responsible for deciding and implementing AppSec tools? And any recommendations for a reliable alternative for Snyk tools? Thanks!
-
SBOM management program?
-
12 Things You Might Not Know About Buildpacks
-
How to Automate the Software Bill of Materials (SBOM)
-
What is SBOM
-
A note from our sponsor - InfluxDB
www.influxdata.com | 4 May 2024
Index
What are some of the best open-source spdx projects? This list will help you:
Project | Stars | |
---|---|---|
1 | syft | 5,477 |
2 | scancode-toolkit | 1,973 |
3 | ort | 1,478 |
4 | tern | 935 |
5 | fossology | 750 |
6 | purl-spec | 620 |
7 | cargo-about | 480 |
8 | bomber | 454 |
9 | reuse-tool | 345 |
10 | chainloop | 306 |
11 | bom | 297 |
12 | cyclonedx-maven-plugin | 273 |
13 | spdx-spec | 268 |
14 | cyclonedx-gradle-plugin | 140 |
15 | SBOM Quality Score | 132 |
16 | scancode.io | 88 |
17 | cyclonedx-core-java | 68 |
18 | spdx-license-matcher | 25 |
19 | spdx.el | 12 |
20 | lice-comb | 6 |
21 | spdx-dependency-track | 1 |
Sponsored