search

fsfe / reuse-tool

reuse is a tool for compliance with the REUSE recommendations.
https://reuse.software
367 stars 138 forks source link

Revisit/fix/update SPDX SBOM output #394

Open mxmehl opened 2 years ago

mxmehl commented 2 years ago

The REUSE tool currently generates a SPDX software bill of materials only in the SPDX-2.1 format. As an example, I attached the output of reuse spdx of this repository. There are a number of issues:

  1. SPDX-2.3 is the current version.
  2. Somehow, the FileCopyrightText do not look right, especially when using the SPDX-FileCopyrightText tags.
  3. It might make sense to follow the minimal set of requirements of the NTIA which officially accepted SPDX as one way to create SBOMs. @kestewart may help here.

It seems we generate this document manually in spdx.py and report.py. Perhaps there is some spdx library that we can use?

Also, generating an optional JSON/YAML version would be great.

mxmehl commented 2 years ago

If we want to use the SPDX python tools as a dependency, it'd be great to have them packaged for Debian first, as mentioned in spdx/tools-python#201.

rpavlik commented 1 year ago

I wouldn't wait for packaging, packaging a pypi module is quite easy. I'd volunteer if I didn't already have too many things to do... (And I'm not a DD so it would need a sponsor anyway). I'm any case, reuse itself isn't packaged I don't think, so no big deal.

carmenbianca commented 1 month ago

FileCopyrightText do not look right

Related to #947