[ANN] SPDX.jl: Reading and writing SPDX files

SPDX.jl

A package for reading and writing SPDX files in Julia.

Software Package Data eXchange (SPDX) is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021.

References

The SPDX specification can be found here

Purpose

To aid Julia developers in the creation of SPDX documents describing their own packages.

These days it is important for nearly all organizations to know the provenance and contents of all the open source software their employees are downloading. Instead of letting these organization conduct their own scans of your package with finicky tools and then trying to figure out what they have, it will help with approvals if you provide them with a statement of your package’s licensing, copyright, and dependency information in a standardized format created for this purpose. Once the file is created, just drop it in the root level of your package.

If this package catches on, maybe it will also be used by large organizations for the creation, merging, processing, and analysis of SPDX documents.

Features

  1. Supports version 2.2 of the SPDX specification
  2. Reads and writes JSON and TagValue file formats. Other formats may be supported in later releases.
3 Likes

Link to repository