Important: We protect the e-mail addresses of our mentors and mailing lists against spam bots. Please replace all occurrences of “ at ” and “ dot ” by “@” and “.” resp.
First and foremost we are a community dedicated to solving the issues and problems around compliance and risk management. This is accomplished through the development and support of an open standard capable of representing systems with software components as in SBOMs (Software Bill of Materials) and other AI, data and security references.
The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of whom have been involved with AI, software security, license compliance and identification for years.
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. Details can be found on the SPDX Technical Team participation page.
SBOM Conformance Checker
Create a web accessible tool for validating SPDX 3.0 documents.
Skills Needed:
has CISA Common Software Bill of Materials or EU AI Act
Background Information:
An online form which allows the uploading, parsing, and validation of SPDX 3.0 would provide immediate benefit to the SPDX community. There is no specific programming language requirement, but there is an existing Java and Python libraries which could be used in the project. Some of the technical challenges for this project include having to handle long running operations and implementing a very robust parser implementation able to handle any input.
Available Mentors: John Speed Meyers, Gary O'Neall (gary at sourceauditor dot com)