Skip to content
/ spdx-to-osv Public

Produce an Open Source Vulnerability JSON file based on information in an SPDX document

License

Apache-2.0 license
60 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

spdx/spdx-to-osv

BranchesTags

Repository files navigation

spdx-to-osv

Produce an Open Source Vulnerability JSON file based on information in an SPDX document

Usage

java -jar spdx-to-osv-with-dependencies.jar -I SpdxFile.spdx -O OSVOutput.json

where SpdxFile.spdx is an SPDX file in one of the following file extensions:

  • .json JSON SPDX format
  • .yaml YAML SPDX format
  • .spdx Tag/Value SPDX format
  • .rdf.xml, .rdf - RDF/XML SPDX format
  • .xlsx, .xls Spreadsheet SPDX format

Optional parameters:

  • -a,--all Include vulnerabilities for all packages in the SPDX file. Default is to only include vulnerabilities related to the element described by the document.
  • -f,--inputFormat <arg> Input file format - RDFXML, JSON, XLS, XLSX, YAML, or TAG

The utility produces an output file OSVOutput.json in the OSV JSON format

How it Works

The utility uses the OSV API's to query the OSV database using the following information if available:

  • Package name and version
  • CVE ExternalRef
  • Github download location if it includes a hash or version tag

Only vulnerabilities related to the SPDX element described by the document will be reported unless the --all option is used in which case vulnerabilities for all packages in the document will be provided.

About

Produce an Open Source Vulnerability JSON file based on information in an SPDX document

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

60 stars

Watchers

7 watching

Forks

11 forks
Report repository

Releases 5

Version 0.1.2 of the SPDX to OSV Utility Latest
Apr 17, 2023
+ 4 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages