Skip to content

Instantly share code, notes, and snippets.

Created August 18, 2023 11:23
Show Gist options
  • Save ba11b0y/a9c7e76f5cace805340edc739ceb0f18 to your computer and use it in GitHub Desktop.
Save ba11b0y/a9c7e76f5cace805340edc739ceb0f18 to your computer and use it in GitHub Desktop.
Final report of GSoC'23 with SPDX


The spdx-sbom-generator tool helps generating SBOM information complying with the SPDX standard and relies heavily on the parsers project. The summer of code was spent improving both these projects and the improvements can be therefore classified among the two as follows:


  • The GitHub actions pipeline to run tests for various language ecosystems was failing. This needed setting up of different environments and installing dependencies for some, in the pipeline itself to be able to run tests. opensbom-generator/parsers#60 fixed this.
  • The poetry parser lacked a dummy project(testdata) to be tested against for sanity. opensbom-generator/parsers#62 introduced a simple fastapi project with lockfiles.
  • Following the above change, unit tests were added with opensbom-generator/parsers#63 and also these unit tests were integrated in the GitHub actions workflow using opensbom-generator/parsers#65


  • The current spdx-sbom-generator does not use the parsers project and instead contains the parsing logic inside the modules directory. PR #295 introduced a new command called sbomgen to leverage the existing parsers project to generate SBOMs. The entire refactor also uses to borrow schema definitions rather than defining them in the project so that the specification stays updated.
  • While the SBOMs generated using the refactor was tested against an online validator by the SPDX community, it is necessary to have this feature in the workflow. At the time of writing this document, I was also able to open a pull request addressing the same opensbom-generator/spdx-sbom-generator#299

Pull requests

Future work

  • Add a better SBOM generate and validate workflow. A WIP pull request can be found here
  • The parsers project is not yet battle tested and needs more improvement across different language ecosystem parsers. Also, many projects still lack test projects to be tested against for conformity. There are a bunch of issues in the spdx-sbom-generator project which track bug reports for various parsers.
  • Once the parsers project is battle tested, the new refactor project can be surfaced for use.
  • Add support for the upcoming SPDX 3.0 spec in the refactor.


  • While testing out the GitHub actions, I learnt to use to quickly try them out locally.
  • Discussions about unit tests vs integration tests helped me weigh their pros and cons.
  • My mentors Nisha(@nishakm) and Adolfo(@puerco) were kind enough to review my code which helped in stepping up my design/architecture skills.
  • The mentors' contributions to my learning not only included writing better code but also taught me a lot about how an open source community functions and also the challenges which revolve around them. I think these important learnings are going to stay with me for a long period of time. Thanks Nisha and Adolfo :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment