Dotnet tool for manipulating SPDX SBOM files
The following will add SpdxTool to a Dotnet tool manifest file:
dotnet new tool-manifest # if you are setting up this repo
dotnet tool install --local DemaConsulting.SpdxToolThe tool can then be executed by:
dotnet spdx-tool <arguments>The following shows the command-line usage of SpdxTool:
Usage: spdx-tool [options] <command> [arguments]
Options:
-h, --help Show this help message and exit
-v, --version Show version information and exit
-l, --log <log-file> Log output to file
-s, --silent Silence console output
--validate Perform self-validation
-r, --result <file> Self-validation result TRX file
Commands:
help <command> Display extended help about a command
add-package Add package to SPDX document (workflow only).
add-relationship <spdx.json> <args> Add relationship between elements.
copy-package <spdx.json> <args> Copy package between SPDX documents (workflow only).
diagram <spdx.json> <mermaid.txt> [tools] Generate mermaid diagram.
find-package <spdx.json> <criteria> Find package ID in SPDX document
get-version <spdx.json> <criteria> Get the version of an SPDX package.
hash <operation> <algorithm> <file> Generate or verify hashes of files
print <text> Print text to the console
query <pattern> <program> [args] Query program output for value
rename-id <arguments> Rename an element ID in an SPDX document.
run-workflow <workflow.yaml> Runs the workflow file/url
set-variable Set workflow variable (workflow only).
to-markdown <spdx.json> <out.md> [args] Create Markdown summary for SPDX document
update-package Update package in SPDX document (workflow only).
validate <spdx.json> [ntia] Validate SPDX document for issues
A more detailed description of the usage can be found in the command-line documentation
The SpdxTool can be driven using workflow yaml files of the following format:
# Workflow parameters
parameters:
parameter-name: value
# Workflow steps
steps:
- command: <command-name>
inputs:
<arguments mapping>
- command: <command-name>
inputs:
input1: value
input2: ${{ parameter-name }}A more detailed description of workflow YAML files can be found in the workflow documentation
Running self-validation produces a report containing the following information:
# DemaConsulting.SpdxTool
| Information | Value |
| :------------------ | :------------------------------------------------- |
| SpdxTool Version | <version> |
| Machine Name | <machine-name> |
| OS Version | <os-version> |
| DotNet Runtime | <dotnet-runtime-version> |
| Time Stamp | <timestamp> |
Tests:
- AddPackage: Passed
- AddRelationship: Passed
- CopyPackage: Passed
- FindPackage: Passed
- GetVersion: Passed
- Query: Passed
- RenameId: Passed
- UpdatePackage: Passed
Validation Passed
On validation failure the tool will exit with a non-zero exit code.
This report may be useful in regulated industries requiring evidence of tool validation.
We welcome contributions! Please see our Contributing Guide for details on:
- Setting up your development environment
- Coding standards and conventions
- Running tests and quality checks
- Submitting pull requests
Before contributing, please read our Code of Conduct.
This project maintains high code quality standards:
- ✓ Comprehensive unit test coverage
- ✓ Static code analysis with multiple analyzers
- ✓ Continuous integration with SonarCloud
- ✓ Self-validation system for tool correctness
- ✓ Warnings treated as errors
- ✓ EditorConfig for consistent code style
Additional information can be found at: