When creating reference builds of open source projects that others can use, being able to accurately document what was included is increasingly important to determine if a security vulnerability may apply, or accurately figuring out which open source licenses need to be complied with. Until now this has been a pretty manual process, and as a result, gets passed down the supply chain, and we end up with a bit of a mess or requires $$$ tooling.

In the last year we’ve seen a significant number of open source tools emerge that can help with this task and permit much of the manual work to be automated so accurate machine sharable files can be created. This talk will provide an quick overview of the state of open source tools able to generate/consume SPDX documents, then would like to do some brainstorming on logical points in the reference builds and upstream projects it makes sense to use them and what some of the limitations. Where gaps are identified, see what needs be done to fix.