DemaConsulting.SpdxTool
2.10.0
Prefix Reserved
dotnet tool install --global DemaConsulting.SpdxTool --version 2.10.0
This package contains a .NET tool you can call from the shell/command line.
dotnet new tool-manifest
dotnet tool install --local DemaConsulting.SpdxTool --version 2.10.0
This package contains a .NET tool you can call from the shell/command line.
#tool dotnet:?package=DemaConsulting.SpdxTool&version=2.10.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
nuke :add-package DemaConsulting.SpdxTool --version 2.10.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
SPDX Tool
Dotnet tool for manipulating SPDX SBOM files
Installation
The following will add SpdxTool to a Dotnet tool manifest file:
dotnet new tool-manifest # if you are setting up this repo
dotnet tool install --local DemaConsulting.SpdxTool
The tool can then be executed by:
dotnet spdx-tool <arguments>
Usage
The following shows the command-line usage of SpdxTool:
Usage: spdx-tool [options] <command> [arguments]
Options:
-h, --help Show this help message and exit
-v, --version Show version information and exit
-l, --log <log-file> Log output to file
-s, --silent Silence console output
--validate Perform self-validation
-r, --result <file> Self-validation result file (.trx TRX or .xml JUnit XML)
Commands:
help <command> Display extended help about a command
add-package Add package to SPDX document (workflow only).
add-relationship <spdx.json> <args> Add relationship between elements.
copy-package <spdx.json> <args> Copy package between SPDX documents (workflow only).
diagram <spdx.json> <mermaid.txt> [tools] Generate mermaid diagram.
find-package <spdx.json> <criteria> Find package ID in SPDX document
get-version <spdx.json> <criteria> Get the version of an SPDX package.
hash <operation> <algorithm> <file> Generate or verify hashes of files
print <text> Print text to the console
query <pattern> <program> [args] Query program output for value
rename-id <arguments> Rename an element ID in an SPDX document.
run-workflow <workflow.yaml> Runs the workflow file/url
set-variable Set workflow variable (workflow only).
to-markdown <spdx.json> <out.md> [args] Create Markdown summary for SPDX document
update-package Update package in SPDX document (workflow only).
validate <spdx.json> [ntia] Validate SPDX document for issues
A more detailed description of the usage can be found in the command-line documentation
Workflow YAML Files
The SpdxTool can be driven using workflow yaml files of the following format:
# Workflow parameters
parameters:
parameter-name: value
# Workflow steps
steps:
- command: <command-name>
inputs:
<arguments mapping>
- command: <command-name>
inputs:
input1: value
input2: ${{ parameter-name }}
A more detailed description of workflow YAML files can be found in the workflow documentation
Self Validation
Running self-validation produces a report containing the following information:
# DemaConsulting.SpdxTool
| Information | Value |
| :------------------ | :------------------------------------------------- |
| SpdxTool Version | <version> |
| Machine Name | <machine-name> |
| OS Version | <os-version> |
| DotNet Runtime | <dotnet-runtime-version> |
| Time Stamp | <timestamp> |
✓ SpdxTool_AddPackage - Passed
✓ SpdxTool_AddRelationship - Passed
✓ SpdxTool_Basic - Passed
✓ SpdxTool_CopyPackage - Passed
✓ SpdxTool_Diagram - Passed
✓ SpdxTool_FindPackage - Passed
✓ SpdxTool_GetVersion - Passed
✓ SpdxTool_Hash - Passed
✓ SpdxTool_Ntia - Passed
✓ SpdxTool_Query - Passed
✓ SpdxTool_RenameId - Passed
✓ SpdxTool_RunNuGetWorkflow - Passed
✓ SpdxTool_ToMarkdown - Passed
✓ SpdxTool_UpdatePackage - Passed
Total Tests: 14
Passed: 14
Failed: 0
Validation Passed
Each test in the report proves a specific command works correctly:
- SpdxTool_AddPackage -
add-packagecommand adds a package with relationships to an SPDX file. - SpdxTool_AddRelationship -
add-relationshipcommand adds a relationship between SPDX elements. - SpdxTool_Basic -
validatecommand accepts valid and rejects invalid SPDX files. - SpdxTool_CopyPackage -
copy-packagecommand copies a package with relationships between SPDX files. - SpdxTool_Diagram -
diagramcommand generates a Mermaid diagram from an SPDX file. - SpdxTool_FindPackage -
find-packagecommand locates a package by name in an SPDX file. - SpdxTool_GetVersion -
get-versioncommand retrieves a package version from an SPDX file. - SpdxTool_Hash -
hashcommand generates and verifies file hashes. - SpdxTool_Ntia -
validatecommand enforces NTIA minimum SBOM element requirements. - SpdxTool_Query -
querycommand extracts values from program output. - SpdxTool_RenameId -
rename-idcommand renames an element identifier throughout an SPDX file. - SpdxTool_RunNuGetWorkflow -
run-workflowcommand executes a workflow from a NuGet package. - SpdxTool_ToMarkdown -
to-markdowncommand generates a Markdown summary from an SPDX file. - SpdxTool_UpdatePackage -
update-packagecommand updates all fields of a package in an SPDX file.
For detailed descriptions of each validation test, see the User Guide.
On validation failure the tool will exit with a non-zero exit code.
This report may be useful in regulated industries requiring evidence of tool validation.
Contributing
We welcome contributions! Please see our Contributing Guide for details on:
- Setting up your development environment
- Coding standards and conventions
- Running tests and quality checks
- Submitting pull requests
Before contributing, please read our Code of Conduct.
Project Quality
This project maintains high code quality standards:
- ✓ Comprehensive unit test coverage
- ✓ Static code analysis with multiple analyzers
- ✓ Continuous integration with SonarCloud
- ✓ Self-validation system for tool correctness
- ✓ Warnings treated as errors
- ✓ EditorConfig for consistent code style
- ✓ Continuous Compliance: Compliance evidence generated automatically on every CI run, following the Continuous Compliance methodology
License
Copyright (c) DEMA Consulting. Licensed under the MIT License. See LICENSE for details.
By contributing to this project, you agree that your contributions will be licensed under the MIT License.
Additional Information
Additional information can be found at:
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
This package has no dependencies.
| Version | Downloads | Last Updated |
|---|---|---|
| 2.10.0 | 4,456 | 4/6/2026 |
| 2.9.0 | 2,054 | 3/2/2026 |
| 2.8.0 | 433 | 2/25/2026 |
| 2.7.0 | 317 | 2/20/2026 |
| 2.6.0 | 2,846 | 12/15/2025 |
| 2.5.1 | 664 | 12/9/2025 |
| 2.5.0 | 439 | 12/4/2025 |
| 2.4.0 | 328 | 7/6/2025 |
| 2.3.0 | 3,034 | 5/4/2025 |
| 2.2.1 | 265 | 5/4/2025 |
| 2.2.0 | 439 | 12/1/2024 |
| 2.1.1 | 247 | 10/9/2024 |
| 2.1.0 | 210 | 10/3/2024 |
| 2.0.0 | 240 | 9/13/2024 |
| 1.4.1 | 241 | 9/13/2024 |
| 1.4.0 | 240 | 7/29/2024 |
| 1.3.2 | 176 | 7/24/2024 |
| 1.3.1 | 224 | 7/22/2024 |
| 1.3.0 | 233 | 7/15/2024 |
| 1.2.0 | 264 | 7/10/2024 |
Loading failed