SPDX Document

Question: Does the software package have an associated SPDX document as a standard expression of dependencies, licensing, and security-related issues?

Description

A software package has an associated SPDX document as a standard expression of dependencies, licensing, and security-related issues. More information on the SPDX specification can be found at: https://spdx.org/

Objectives

For managers acquiring open source software as part of an IT or Open Source Program Office portfolio, an SPDX document provides an increasingly essential core piece of management information. This arises because, as software packages exist in complex software supply chains, it is important to clearly express, in a standardized way, the associated dependencies, licenses, and security-related issues with that software package. An SPDX document provides a single source of information both for internal use and downstream distribution of software packages. An SPDX document assists in how organizations routinize open source work to better integrate with their own open source risk management routines.

Implementation

Filters

augur-SPDX was used to scan the GitHub repository Zephyr. Here are the licenses identified from the scan in JSON format:

{
  "0": "Apache-2.0",
  "1": "BSD-2-Clause",
  "2": "BSD-3-Clause",
  "3": "GPL-2.0",
  "4": "GPL-2.0+",
  "5": "GPL-3.0+",
  "6": "ISC",
  "7": "MIT"
  "8": "BSD-4-Clause-UC",
  "9": "CC0-1.0"
}

This document was generated by Augur.

Tools Providing the Metric

  • DoSOCSv2 embedded as an Augur Service. A file by file SPDX document is available with Augur configured using the DoSOCSv2 plugin. The relevant parts of the database schema are illustrated below.
  • Augur-SPDX embedded as an Augur Service. A file by file SPDX document is available with Augur configured using the augur-spdx plugin, which is derived from DOSOCS. The relevant parts of the database schema are illustrated below. This implementation is a fork of DoSOCSv2.

  • Packages
  • Package_Files
  • Files (which may be, but are unlikely to be also included in other packages). License information is included as part of an SBOM, but the complexity of license identification is clarified in the License_Count, License_Coverage, and License_Declared metrics.

SBOM

References