Google Summer of Code 2025: SPDX projects
Contact
Important: We protect the e-mail addresses of our mentors and mailing lists against spam bots. Please replace all occurrences of “ at ” and “ dot ” by “@” and “.” resp.
What is SPDX ?
First and foremost we are a community dedicated to solving the issues and problems around compliance and risk management. This is accomplished through the development and support of an open standard capable of representing systems with software components as in SBOMs (Software Bill of Materials) and other AI, data and security references.
The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of whom have been involved with AI, software security, license compliance and identification for years.
Why choose an SPDX Project?
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.
Getting Involved
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. Details can be found on the SPDX Technical Team participation page.
Resources
Ideas for 2025 Projects
SBOM Conformance Checker
Create a web accessible tool for validating SPDX 3.0 documents.
Size: Medium (175 hours)
Level of Difficulty: Hard
Skills Needed:
- Software development skills for Web based applications
- Good user interface design skills
- Understanding of SBOM conformance and related standards/regulations such
has CISA Common Software Bill of Materials or EU AI Act
Background Information:
An online form which allows the uploading, parsing, and validation of SPDX 3.0 would provide immediate benefit to the SPDX community. There is no specific programming language requirement, but there is an existing Java and Python libraries which could be used in the project. Some of the technical challenges for this project include having to handle long running operations and implementing a very robust parser implementation able to handle any input.
Available Mentors: John Speed Meyers, Gary O'Neall (gary at sourceauditor dot com)
Enhancing the Functionality of spdx-license-diff
The spdx-license-diff tool is a JavaScript-based web browser plugin that enables users to easily compare license text on a website with the contents of all licenses on the SPDX License List, generating percentage matches and differences.
spdx-license-diff requires updates to enable it to continue working with newer versions of Firefox and Chrome – see https://github.com/spdx/spdx-license-diff/issues/121 and https://github.com/spdx/spdx-license-diff/issues/122 for example.
There are also several areas where its functionality could be extended, such as:
- More fully implementing the SPDX License List Matching Guidelines when performing matches
- Indicating which of several “alt” options for regular expressions is matched
- Other usability and functionality improvements
Size: Medium (175 hours)
Level of Difficulty: Medium
Skills Needed:
- Software development skills for Browser extensions
- Good user interface design skills
- Proficient in Javascript
Available Mentors: Vedant Jolly (vedantjolly2001 at gmail dot com), Rohit Lodha(rohit.lodhartg at gmail dot com), Gary O'Neall (gary at sourceauditor dot com)
Revamping and Enhancing the License List Website
The SPDX License List website is generated via the License List Publisher tool and populated from the SPDX License List XML files. The Publisher tool is written in Java.
The website could use some updates to its appearance and functionality to make it more modern and improve usefulness and accessibility such as:
- Filtering on the table of contents pages for more quickly finding licenses. Currently, there is JavaScript for sorting the different columns, but no other option to search or find licenses other than scrolling.
- Possibly a more advanced search option to enable searching on a specific text phrase, which would likely be implemented in the Python-based SPDX Online Tools
- Edits to the license page templates (HTML) to make visible the OSI and FSF approved data, and link to the license-list-xml GitHub location
- Improve readability and accessibility for displaying regular expressions corresponding to “alt text” sections (e.g. the red text in each license page).
- Consider user accessibility.
- Consider mobile view and page responsiveness.
- Design improvements and recommendations overall
Size: Medium (175 hours)
Level of Difficulty: Medium
Skills Needed:
- Software development skills for Web based applications
- Good user interface design skills
- Proficient in Java
Available Mentors: Rohit Lodha(rohit.lodhartg at gmail dot com), Vedant Jolly (vedantjolly2001 at gmail dot com), Gary O'Neall (gary at sourceauditor dot com)
