SPDX Document
Question: Does the software package have an associated SPDX document as a standard expression of dependencies, licensing, and security-related issues?
Overview
This metric assesses whether a software package has an associated Software Package Data Exchange (SPDX) document to express dependencies, licensing, and security-related issues. An SPDX document provides essential management information for understanding and managing open-source software within complex supply chains. It offers a standardized view of dependencies, licenses, and security considerations for both internal use and downstream distribution of software packages. Having an SPDX document can support an organization’s open-source risk management routines and integrate with their overall open-source strategy.
Want to Know More?
Data Collection Strategies
- Identify if the project has an SPDX document available, either through public repository files or internally managed records.
- Use tools like Augur-SPDX to scan project repositories and generate an SPDX document if none exists.
Filters
augur-SPDX was used to scan the GitHub repository Zephyr. Here are the licenses identified from the scan in JSON format:
{
"0": "Apache-2.0",
"1": "BSD-2-Clause",
"2": "BSD-3-Clause",
"3": "GPL-2.0",
"4": "GPL-2.0+",
"5": "GPL-3.0+",
"6": "ISC",
"7": "MIT"
"8": "BSD-4-Clause-UC",
"9": "CC0-1.0"
}
This document was generated by Augur.
Visualizations
Figure 1: Software Bill of Materials (SBOM) overview using SPDX document structure
References
Contributors
- Sean Goggins
- Elizabeth Barron
- Yigakpoa L. Ikpae
Additional Information
To edit this metric please submit a Change Request here To reference this metric in software or publications, please use this stable URL: https://chaoss.community/?p=3968
The usage and dissemination of health metrics may lead to privacy violations. Organizations may be exposed to risks. These risks may flow from compliance with the GDPR in the EU, with state law in the US, or with other laws. There may also be contractual risks flowing from terms of service for data providers such as GitHub and GitLab. The usage of metrics must be examined for risk and potential data ethics problems. Please see CHAOSS Data Ethics document for additional guidance.