Important: We protect the e-mail addresses of our mentors and mailing lists against spam bots. Please replace all occurrences of “ at ” and “ dot ” by “@” and “.” resp.
First and foremost we are a community dedicated to solving the issues and problems around compliance and risk management. This is accomplished through the development and support of an open standard capable of representing systems with software components as in SBOMs (Software Bill of Materials) and other AI, data and security references.
The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of whom have been involved with AI, software security, license compliance and identification for years.
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. Details can be found on the SPDX Technical Team participation page.
SBOM Conformance Checker
Create a web accessible tool for validating SPDX 3.0 documents.
Size: Medium (175 hours)
Level of Difficulty: Hard
Skills Needed:
has CISA Common Software Bill of Materials or EU AI Act
Background Information:
An online form which allows the uploading, parsing, and validation of SPDX 3.0 would provide immediate benefit to the SPDX community. There is no specific programming language requirement, but there is an existing Java and Python libraries which could be used in the project. Some of the technical challenges for this project include having to handle long running operations and implementing a very robust parser implementation able to handle any input.
Available Mentors: John Speed Meyers, Gary O'Neall (gary at sourceauditor dot com)
Enhancing the Functionality of spdx-license-diff
The spdx-license-diff tool is a JavaScript-based web browser plugin that enables users to easily compare license text on a website with the contents of all licenses on the SPDX License List, generating percentage matches and differences.
spdx-license-diff requires updates to enable it to continue working with newer versions of Firefox and Chrome – see https://github.com/spdx/spdx-license-diff/issues/121 and https://github.com/spdx/spdx-license-diff/issues/122 for example.
There are also several areas where its functionality could be extended, such as:
Size: Medium (175 hours)
Level of Difficulty: Medium
Skills Needed:
Available Mentors: Vedant Jolly (vedantjolly2001 at gmail dot com), Rohit Lodha(rohit.lodhartg at gmail dot com), Gary O'Neall (gary at sourceauditor dot com)
Revamping and Enhancing the License List Website
The SPDX License List website is generated via the License List Publisher tool and populated from the SPDX License List XML files. The Publisher tool is written in Java.
The website could use some updates to its appearance and functionality to make it more modern and improve usefulness and accessibility such as:
Size: Medium (175 hours)
Level of Difficulty: Medium
Skills Needed:
Available Mentors: Rohit Lodha(rohit.lodhartg at gmail dot com), Vedant Jolly (vedantjolly2001 at gmail dot com), Gary O'Neall (gary at sourceauditor dot com)