[ANN] SPDX.jl v0.2.0: Reading and Writing SPDX Files - Now with support for v2.3 of the specification

Package Announcements
1

SPDX.jl

A package for reading and writing SPDX files in Julia.

Software Package Data eXchange (SPDX) is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021.

Reads and writes JSON and TagValue file formats. Other formats may be supported in later releases.

Link to repository: https://github.com/SamuraiAku/SPDX.jl

References

The SPDX specification can be found here

Purpose

To aid Julia developers in the creation of SPDX documents describing their own packages.

These days it is important for nearly all organizations to know the provenance and contents of all the open source software their employees are downloading. Instead of letting these organization conduct their own scans of your package with finicky tools and then trying to figure out what they have, it will help with approvals if you provide them with a statement of your package’s licensing, copyright, and dependency information in a standardized format created for this purpose. Once the file is created, just drop it in the root level of your package.

If this package catches on, maybe it will also be used by large organizations for the creation, merging, processing, and analysis of SPDX documents.

For a small demonstration of how to use this package, see the script bumpSPDX.jl at the top of the repository. It uses the Pkg API and SPDX.jl to update an SPDX file which describes this package and its dependencies.

v0.2.0 New Features

  • Support v2.3 of the SPDX spec

  • Download location is now an object (SpdxDownloadLocationV2) that parses the fields of the URL instead of a string

  • Make Package Originator and Supplier an SpdxCreatorV2 object instead of a string.

Bug fixes

  • Strip leading and trailing whitespace when reading JSON and TagValue Files
3 Likes