SPDX
Creates software bills of materials (SBOM) in the SPDX format.
Description
Creates YAML and JSON SPDX documents mainly targeting the use case of sharing information about the dependencies
used, similar to e.g. a NOTICE file. Information about the project / submodule structure as well as project VCS
locations are deliberately omitted. The underlying idea is to clearly separate this mentioned use case from a maximum
detailed report which could be preferred for archiving or internal use only. The latter could be implemented either
as a future extension of this SpdxDocumentReporter or as a separate Reporter.
Configuration
Example
Use the following syntax to configure this plugin globally as part of config.yml:
ort:
reporter:
reporters:
SpdxDocument:
options:
spdxVersion: SPDX-2.2
creationInfoComment: <OPTIONAL_STRING>
creationInfoPerson: <OPTIONAL_STRING>
creationInfoOrganization: <OPTIONAL_STRING>
documentComment: <OPTIONAL_STRING>
documentName: <OPTIONAL_STRING>
outputFileFormats: YAML
fileInformationEnabled: true
Options
spdxVersion
Possible values:
SPDX-2.2, SPDX-2.3
The SPDX version to use.
creationInfoComment
Alias: creationInfo.comment
The comment to add to the [SpdxDocument.creationInfo].
creationInfoPerson
Alias: creationInfo.person
The person to add to the [SpdxDocument.creationInfo].
creationInfoOrganization
Alias: creationInfo.organization
The organization to add to the [SpdxDocument.creationInfo].
documentComment
Alias: document.comment
The comment to add to the [SpdxDocument].
documentName
Alias: document.name
The name of the generated [SpdxDocument]. Defaults to the first project name from the ORT result if not set.
outputFileFormats
Alias: output.file.formats
Possible values:
JSON, YAML
The list of file formats to generate.
fileInformationEnabled
Alias: file.information.enabled
Toggle whether the output document should contain information on file granularity about files containing findings.