spdx/tools spdx/tools

  • Stars
    star
    125
  • Rank 286,280 (Top 6 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 9 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
spdx/tools
github

spdx

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SPDX Tools

Build Status

CII Best Practices

Important Update

This version of the SPDX Java tools is planned to be replaced on the next major release of the SPDX Spec. The new Java tools can be found in the tools-java repo. You are encouraged to switch over to the new version of the SPDX Java tools which should be stable. If you would like to use a lighter weight library in you Java application, check out the SPDX Java Library.

Overview

The Software Package Data Exchange (SPDX) specification is a standard format for communicating the components, licenses and copyrights associated with a software package.

These tools are published by the SPDX Workgroup see http://spdx.org/

See the SPDX Tools Documentation for details on how to use the command line tools.

Getting Starting

The SPDX Tool binaries can be downloaded from the BinTray SPDX Tools Java repo under the respective release. The package is also available in Maven Central (organization org.spdx, artifact spdx-tools).

See the Syntax section below for the commands available.

Contributing

See the file CONTRIBUTING.md for information on making contributions to the SPDX tools.

Issues

Report any security related issues by sending an email to [email protected]

Non-security related issues should be added to the SPDX tools issues list

Syntax

The command line interface of the spdx tools can be used like this:

java -jar spdx-tools-jar-with-dependencies.jar <function> <parameters>

SPDX format converters

The following converter tools are provided by the spdx tools:

  • TagToSpreadsheet
  • TagToRDF
  • RdfToTag
  • RdfToHtml
  • RdfToSpreadsheet
  • SpreadsheetToRDF
  • SpreadsheetToTag

Example to convert a SPDX file from tag to rdf format:

java -jar spdx-tools-jar-with-dependencies.jar TagToRDF Examples/SPDXTagExample.tag TagToRDF.rdf

Compare utilities

The following tools can be used to compare one or more SPDX documents:

  • CompareSpdxDocs

    Example to compare two SPDX files provided in rdf format:

    java -jar spdx-tools-jar-with-dependencies.jar CompareSpdxDocs doc1 doc2 [output]

  • CompareMultipleSpdxDocs

    Example to compare multiple SPDX files provided in rdf format and provide a spreadsheet with the results:

    java -jar spdx-tools-jar-with-dependencies.jar CompareMultipleSpdxDocs output.xls doc1 doc2 ... docN

SPDX Viewer

The following tool can be used to "Pretty Print" an SPDX document.

  • SPDXViewer

Sample usage:

java -jar spdx-tools-jar-with-dependencies.jar SPDXViewer TestFiles/SPDXRdfExample.rdf

Verifier

The following tool can be used to verify an SPDX document:

  • Verify

Sample usage:

java -jar spdx-tools-jar-with-dependencies.jar Verify TestFiles/SPDXRdfExample.rdf

Generators

The following tool can be used to generate an SPDX verification code from a directory of source files:

  • GenerateVerificationCode sourceDirectory

Sample usage:

    java -jar spdx-tools-jar-with-dependencies.jar GenerateVerificationCode sourceDirectory [ignoredFilesRegex]

SPDX Validation Tool

The SPDX Workgroup provides an online interface to validate, compare, and convert SPDX documents in addition to the command line options above. The SPDX Validation Tool is an all-in-one portal to upload and parse SPDX documents for validation, comparison and conversion and search the SPDX license list.

License

See the NOTICE file for licensing information including info from 3rd Party Software

See LICENSE file for full license text

SPDX-License-Identifier:	Apache-2.0
PackageLicenseDeclared:	Apache-2.0

Development

Build

You need Apache Maven to build the project:

mvn clean install

Update tools data formats

To update SPDX tools, the following is a very brief checklist:

  1. Update the SpdxRdfContants with any new or changed RDF properties and classes
  2. Update the Java code representing the RDF model.
  3. Update the properties files in the org.spdx.tag package for any new tag values
  4. Update the org.spdx.tag.CommonCode.java for any new or changed tag values. This will implement both the rdfToTag and the SPDXViewer applications.
  5. Update the org.spdx.tag.BuildDocument to implement changes for the TagToRdf application
  6. Update the HTML template (resources/htmlTemplate/SpdxHTMLTemplate.html) and contexts in org.spdx.html to implement changes for the SpdxToHtml application
  7. Update the related sheets and RdfToSpreadsheet.java file in the package org.spdx.spreadsheet
  8. Update the sheets and SpdxComparer/SpdxFileComparer in the org.spdx.compare package

Upgrading to SPDX 2.0

To the users of the tools as a binary, there should not be any need to upgrade. The tools should be backwards compatible with SPDX 1.0, 1.1, and 1.2.

If, however, you are using this Java code as a library for your own tools read on...

There are a number of changes to the design of the SPDX Parser both due to the extensive changes to the SPEC (e.g. support for multiple SPDX Packages within a document and support for relationships with external SPDX documents) and due to some much needed refactoring.

The starting point remains SPDXDocumentFactory. To ease the migration, the old 1.2 code and model is still available and simply changing your code to call SPDXDcoumentFactory.createLegacySpdxDocument(...) will probably work. You'll notice, however, almost everything your application is using is deprecated. These will be removed once SPDX 2.0 has been released and people have a chance to migrate (likely around Jan 1 2016).

To move over to the new model, simply start with SPDXDocumentFactory and call the createSpdxDocument(...) method to create the new SpdxDocument model code.
The object returned will be similar to the 1.2 version for SPDXDocument, but with a few key differences. All new model objects are in the package org.spdx.rdfparser.mode. The SPDX prefix is either removed or replaced with a more consistent Spdx.

Accessing the model objects is similar to 1.2, simply call the get/set methods. The method names have all been changed to be consistent with the specification property names. As a convenience, many of the old getter method names are still there but deprecated.

The structure has changed with the SpdxPackage being a distinct class from SpdxDocument. There is also a new class org.spdx.rdfparser.SpdxDocumentContainer which separates out the container functionality from the SpdxDocument leaving the SpdxDocument to represent the SpdxDocument properties. There are several new classes which are consistent with the SPDX 2.0 Model. See the JavaDocs and the SPDX 2.0 specification for a description of those classes and properties.

There is one significant class not found in the SPDX 2.0 model - ExternalSpdxElement. This class represents elements not found within the SPDX Document. The only valid property for this element is the ID (all other properties including the type are only known in the external document containing the element). There is a more structured class hierarchy, mostly mirroring the SPDX 2.0 model. As a user of the library, you likely do not need to understand these internals - but if you are interested, start at RdfModelObject and read the JavaDocs.

If you have any problems, and especially if you have any solutions, email the tech working group for SPDX at [email protected].

More Repositories

1

license-list-data

Various data formats for the SPDX License List including RDFa, HTML, Text, and JSON
HTML
495
star
2

license-list-XML

This is the repository for the master files that comprise the SPDX License List
Makefile
344
star
3

spdx-spec

The SPDX specification in MarkDown and HTML formats.
Python
288
star
4

tools-python

A Python library to parse, validate and create SPDX documents.
Python
184
star
5

spdx-sbom-generator

Support CI generation of SBOMs via golang tooling.
Go
151
star
6

spdx-examples

Examples of SPDX files for software combinations
Java
123
star
7

tools-golang

Collection of Go packages to work with SPDX files
Go
121
star
8

spdx-3-model

The model for the information captured in SPDX version 3 standard.
69
star
9

spdx-online-tools

Source for the website providing online SPDX tools
JavaScript
60
star
10

tools-java

SPDX Command Line Tools using the Spdx-Java-Library
Java
59
star
11

spdx-to-osv

Produce an Open Source Vulnerability JSON file based on information in an SPDX document
Java
59
star
12

ntia-conformance-checker

Check SPDX SBOM for NTIA minimum elements
Python
53
star
13

spdx-maven-plugin

Plugin for supporting SPDX in a Maven build.
Java
44
star
14

license-list

SPDX License List - Archived through v2.6
42
star
15

Spdx-Java-Library

Java library which implements the Java object model for SPDX and provides useful helper functions
Java
33
star
16

spdx-license-diff

Chrome/Firefox browser extension to compare text against spdx license list
JavaScript
33
star
17

cdx2spdx

Utility that converts SBOM documents from CycloneDX to SPDX
Java
27
star
18

meetings

This repository stores meetings minutes for the SPDX project
26
star
19

spdx-license-matcher

A tool to match license text with SPDX license list using a an algorithm with finds close matches. It follows SPDX Matching guidelines to keep the substantial text as well as ignore the replaceable text for matching purposes.
Python
26
star
20

sbom-landscape

SPDX SBOM Landscape
15
star
21

governance

SPDX Governance, based on Community Specification model
15
star
22

spdx-gradle-plugin

Java
15
star
23

gordf

Go
11
star
24

LicenseListPublisher

Tool that generates license data found in the license-list-data repository from the license-list-XML source
Java
11
star
25

spdx-build-tool

Support a continuous integration (CI) generation of SPDX files by creating a plugins or extensions to build tools. These plugins or extensions will generate valid SPDX documents based on the build file metadata and source files. https://github.com/spdx/
Python
11
star
26

spdx-tools-js

JavaScript
9
star
27

ATTIC-osit

Open Source Inspect Tool by OSE, Samsung
Java
8
star
28

license-coverage-grader

This is a tool which take an SPDX document and pointer to the original source files, and determine a "grade" score to quantify how complete the licensing information is at the file level for the code represented by the SPDX document.
Python
7
star
29

ATTIC-tools-go

Legacy SPDX Parser Go Language Library - replaced by tools-golang
Go
6
star
30

yalm-python

Implement SPDX License Matching in Python. Project in CommunityBridge Linux Foundation 2020.
Python
6
star
31

spdx-github

SPDX Github Integration Tools
Python
5
star
32

spec-parser

automagically process the specification
Python
5
star
33

tools-ts

TypeScript
4
star
34

outreach

content for outreach activities
4
star
35

ATTIC-airs

Auto IdentifieR using Spdx by OSE, Samsung
Java
4
star
36

schema-to-java

Generates Java classes from the SPDX Schema
Java
3
star
37

spdx-adoption

Keeping list of projects that are using SPDX headers, and those that are able to generate SPDX documents.
3
star
38

license-test-files

Test files which can be used to check license scanners.
3
star
39

change-proposal

Repository for change proposal for the SPDX project
3
star
40

license-test-generator

Tool to generate the license test files (github.com/spdx/license-test-files) from the SPDX listed licenses (github.com/spdx/license-list-data)
PHP
3
star
41

spdx-java-jackson-store

JSON storage implementation for the SPDX tools
Java
3
star
42

TEST-LicenseList-XML

This is a copy of the LicenseListXML repository to be used for testing
Makefile
2
star
43

spdx-java-rdf-store

SPDX Tools RDF Support Library
Java
2
star
44

GSoC

SPDX participation in the Google Summer of Code program
2
star
45

canonical-serialisation

SPDX Canonicalisation repo
CSS
2
star
46

package-licenses-mapping

Data mapping license declarations as found in package manifests to a SPDX license expression.
2
star
47

spdx-java-spreadsheet-store

SPDX Java library spreadsheet storage
Java
2
star
48

license-test-scans

Tools to help compare license scans
Python
2
star
49

spec-v3-template

Templates and examples for writing the v3 specification
2
star
50

spdx-java-tagvalue-store

SPDX Document Storage using the Tag/Value format
Java
2
star
51

spdx-model-to-java

Generates Java source files from the SPDX spec version 3+ suitable for inclusion in the SPDX Java Library
Java
2
star
52

tools-list

List of the known available tools in a machine readable format.
1
star
53

license-namespace-test

Test repository for the license namespace
1
star
54

spdx-testbed

Java
1
star
55

spdx-website

This repo contains all the assets used in the spdx.org website
1
star
56

licensegenplugin

Maven plugin for generating the license data from the license list XML repository
Java
1
star
57

DOCS

This is a repository for general documentation related to SPDX
1
star
58

spdx-3-build-profile

1
star
59

spdx-3-serialization-prototype-playground

TEMPORARY repo to contain different draft examples for SPDX 3.0 serializations
Python
1
star
60

licenseRequestImages

License Request Image Repository
1
star
61

license-mgmt

GSoC 2022 project for a web-based license management system
CSS
1
star
62

crypto-algorithms

List of cryptographic algorithms and their characteristics
1
star
63

rollup-plugin-spdx

TypeScript
1
star
64

using

Information on how to use the SPDX specification
1
star