GSOC 2014 SPDX projects

GSOC 2014 - SPDX Tooling Projects


SPDX Introduction
The Software Package Data Exchange® (SPDX®) specification is a standard format for communicating the licenses and copyrights for components of a software package.  The vision of SPDX is to achieve software license compliance with minimal cost across the software supply chain with a primary focus on compliance with open source licenses.

The SPDX Technical Team members develop open source tools to create, convert and validate SPDX documents.

SPDX Community
Website - www.spdx.org
Wiki – http://wiki.spdx.org
GitHub
    https://github.com/goneall/SPDX-Tools
    https://github.com/spdx-tools/fossology-spdx
Mailing Lists  
http://lists.spdx.org/mailman/listinfo
http://lists.spdx.org/mailman/listinfo/spdx-tech
IRC channel - #spdx on freenode
Code Licenses: Apache 2.0, BSD 2-Clause

PROJECTS

Eclipse Maven (m2e) SPDX Extension
Develop an Eclipse Maven (m2e) Extension which will produce and maintain an SPDX document within the Eclipse development environment. This will enable software developers using the Eclipse IDE an easy method of developing and maintaining SPDX documents.

Skills Needed
Experience with the Eclipse IDE
Experience with Maven
Java software coding skills
Understanding of the software development and build process

Background Information
The Extension Development Wiki describes what is involved in writing an m2e extension. The spdx-maven-plugin, which generates SPDX documents within a Maven script, can provide an example of a similar software project. The SPDX specification itself will describe the output of the tool.

Mentor: Gary O'Neall

 

Parser Libraries
Create a library for creating and parsing SPDX documents in a popular programming language. This will enable other tools developers to easily add SPDX support and create a larger community of tools developers.

Skills Needed
Development skills in the language of choice
Experience with parser development
Understanding of RDF and XML

Background Information
SPDX currently provides libraries supporting the reading and writing of SPDX document. Currently, only Java libraries have been developed. There has been several requests for libraries in additional languages. The libraries must support both RDF/XML import/export as well as tag/value import/export. The SPDX git repository SPDX Tools project contains the source code for the Java libraries.

Mentor: Gary O'Neall

Online Validation Tools
Create a web accessible tool for validating SPDX documents.

Skills Needed
Software development skills for Web based applications
Good user interface design skills

Background Information
An online form which allows the uploading, parsing, and validation of SPDX would provide immediate benefit to the SPDX community. There is no specific programming language requirement, but there is an existing Java library which could be used in the project. Some of the technical challenges for this project include having to handle long running operations and implementing a very robust parser implementation able to handle any input. Additional online tools could also be added, such as document format conversion and reporting/pretty printing.

Available Mentor: Gary O'Neall

 

Source Code License Identifier Parser
Create a tool which will parse source code and create an SPDX document based on SPDX standard license identifiers found in the source code.

Skills Needed
Experience developing parser/scanners
Understanding of various programming languages
Java development experience a plus

Background Information
There is a proposal to add Meta Tags in source code comments. Once these license ID's have been produced, this tool could scan the source code for the meta tags and create the appropriate SPDX document. There is no language requirement, however there are existing Java libraries which could help build the SPDX document.

Available Mentor: Gary O'Neall

 

Merge Tool
Create a tool to merge multiple SPDX documents into a single SPDX document updating all the appropriate fields. This tool has been requested by corporate users who will be using it in their software development process.

Skills Needed
Java software coding skills
Understanding of the software development and build process
Experience developing in an environment with multiple developers and multiple committers

Background Information
It is recommended that the existing SPDX tools framework be used as a base for the tools. The SPDX git repository SPDX Tools project contains the source code for the framework. There will likely be some interaction with some of the companies requesting the tool. The SPDX workgroup tools webpage provides an overview of the current tools implemented using this framework.


Available Mentor: Gary O'Neall

 

Fossology+SPDX Tools
Support the advancement of tooling to produce SPDX documents from the FOSSology open source package scanner. This tool supports the integration of the SPDX standard into current license scanning practices.

Skills Needed
Linux environment skills
PHP software coding skills
MySQL database skills
GitHub repository management skills
Understanding of the software development and build process
Experience developing in an environment with multiple developers and multiple committers

Background Information
This project was one of the first open source tooling projects aimed at integrating the SPDX standard into package scanning software. The project began in 2012 at the University of Nebraska Omaha's Open Source Lab, aimed at bridging two open source initiatives in the advancement of both communities. The project has evolved to include both web-based and command line tools in the integration of FOSSology and SPDX. Future work includes interface redesign, FOSSology performance improvements, and the inclusion of additional package scanning software results to improve the robustness of SPDX documents. Current source is available here.


Available Mentor: Matt Germonprez

 

 

Yocto+SPDX Tools
Support the advancement of tooling to produce SPDX documents as part of the Yocto build process. The Yocto Project is an open source project supported by the Linux Foundation. The Yocto project "provides templates, tools and methods to help you create custom Linux-based systems for embedded products regardless of the hardware architecture." The proposed project integrates the production of SPDX documents into upstream, open source projects intending to advance open compliance standards. Current source is available here.

Skills Needed
Linux environment skills
Python software coding skills
MySQL database skills
JSON format skills
GitHub repository management skills
Understanding of the software development and build process
Experience developing in an environment with multiple developers and multiple committers

Background Information
This project was intended to bridge two Linux Foundation supported projects in SPDX and Yocto. It was also aimed at identifying upstream open source projects that could help the distribution of the SPDX documents. A critical component of the SPDX standard is its production and consumption in software supply chains. Upstream projects offer considerable potential in large scale, albeit data poor, SPDX documents. Work on the Yocto+SPDX project would continue to refine the systems by which SPDX documents are built during automated build processes.

Available Mentor: Matt Germonprez

Groups: