======GSOC 2014 SPDX projects====== =====GSOC 2014 - SPDX Tooling Projects===== \\ **SPDX Introduction**\\ The Software Package Data Exchange® (SPDX®) specification is a standard format for communicating the licenses and copyrights for components of a software package.  The vision of SPDX is to achieve software license compliance with minimal cost across the software supply chain with a primary focus on compliance with open source licenses. \\ \\ The SPDX Technical Team members develop open source tools to create, convert and validate SPDX documents. \\ \\ **SPDX Community**\\ Website - www.spdx.org\\ Wiki – http://wiki.spdx.org \\ GitHub \\     https://github.com/goneall/SPDX-Tools \\     https://github.com/spdx-tools/fossology-spdx \\ Mailing Lists  \\ http://lists.spdx.org/mailman/listinfo\\ http://lists.spdx.org/mailman/listinfo/spdx-tech \\ IRC channel - #spdx on freenode\\ Code Licenses: Apache 2.0, BSD 2-Clause\\ \\ **PROJECTS** **Eclipse Maven (m2e) SPDX Extension**\\ Develop an Eclipse Maven (m2e) Extension which will produce and maintain an SPDX document within the Eclipse development environment. This will enable software developers using the Eclipse IDE an easy method of developing and maintaining SPDX documents. //Skills Needed//\\ Experience with the Eclipse IDE \\ Experience with Maven \\ Java software coding skills \\ Understanding of the software development and build process //Background Information//\\ The Extension Development Wiki describes what is involved in writing an m2e extension. The spdx-maven-plugin, which generates SPDX documents within a Maven script, can provide an example of a similar software project. The SPDX specification itself will describe the output of the tool. Mentor: Gary O'Neall   **Parser Libraries**\\ Create a library for creating and parsing SPDX documents in a popular programming language. This will enable other tools developers to easily add SPDX support and create a larger community of tools developers. \\ \\ //Skills Needed//\\ Development skills in the language of choice \\ Experience with parser development \\ Understanding of RDF and XML \\ \\ //Background Information//\\ SPDX currently provides libraries supporting the reading and writing of SPDX document. Currently, only Java libraries have been developed. There has been several requests for libraries in additional languages. The libraries must support both RDF/XML import/export as well as tag/value import/export. The SPDX git repository SPDX Tools project contains the source code for the Java libraries. Mentor: Gary O'Neall \\ \\ **Online Validation Tools**\\ Create a web accessible tool for validating SPDX documents. //Skills Needed//\\ Software development skills for Web based applications \\ Good user interface design skills \\ \\ //Background Information//\\ An online form which allows the uploading, parsing, and validation of SPDX would provide immediate benefit to the SPDX community. There is no specific programming language requirement, but there is an existing Java library which could be used in the project. Some of the technical challenges for this project include having to handle long running operations and implementing a very robust parser implementation able to handle any input. Additional online tools could also be added, such as document format conversion and reporting/pretty printing. Available Mentor: Gary O'Neall   **Source Code License Identifier Parser**\\ Create a tool which will parse source code and create an SPDX document based on SPDX standard license identifiers found in the source code. \\ \\ //Skills Needed//\\ Experience developing parser/scanners \\ Understanding of various programming languages \\ Java development experience a plus \\ \\ //Background Information//\\ There is a proposal to add Meta Tags in source code comments. Once these license ID's have been produced, this tool could scan the source code for the meta tags and create the appropriate SPDX document. There is no language requirement, however there are existing Java libraries which could help build the SPDX document. Available Mentor: Gary O'Neall   **Merge Tool**\\ Create a tool to merge multiple SPDX documents into a single SPDX document updating all the appropriate fields. This tool has been requested by corporate users who will be using it in their software development process. //Skills Needed//\\ Java software coding skills \\ Understanding of the software development and build process \\ Experience developing in an environment with multiple developers and multiple committers \\ \\ //Background Information//\\ It is recommended that the existing SPDX tools framework be used as a base for the tools. The SPDX git repository SPDX Tools project contains the source code for the framework. There will likely be some interaction with some of the companies requesting the tool. The SPDX workgroup tools webpage provides an overview of the current tools implemented using this framework. \\ Available Mentor: Gary O'Neall   **Fossology+SPDX Tools**\\ Support the advancement of tooling to produce SPDX documents from the FOSSology open source package scanner. This tool supports the integration of the SPDX standard into current license scanning practices. //Skills Needed//\\ Linux environment skills \\ PHP software coding skills \\ MySQL database skills \\ GitHub repository management skills \\ Understanding of the software development and build process \\ Experience developing in an environment with multiple developers and multiple committers \\ \\ //Background Information//\\ This project was one of the first open source tooling projects aimed at integrating the SPDX standard into package scanning software. The project began in 2012 at the University of Nebraska Omaha's Open Source Lab, aimed at bridging two open source initiatives in the advancement of both communities. The project has evolved to include both web-based and command line tools in the integration of FOSSology and SPDX. Future work includes interface redesign, FOSSology performance improvements, and the inclusion of additional package scanning software results to improve the robustness of SPDX documents. Current source is available here. \\ Available Mentor: Matt Germonprez     **Yocto+SPDX Tools**\\ Support the advancement of tooling to produce SPDX documents as part of the Yocto build process. The Yocto Project is an open source project supported by the Linux Foundation. The Yocto project "provides templates, tools and methods to help you create custom Linux-based systems for embedded products regardless of the hardware architecture." The proposed project integrates the production of SPDX documents into upstream, open source projects intending to advance open compliance standards. Current source is available here. //Skills Needed//\\ Linux environment skills \\ Python software coding skills \\ MySQL database skills \\ JSON format skills \\ GitHub repository management skills \\ Understanding of the software development and build process \\ Experience developing in an environment with multiple developers and multiple committers \\ \\ //Background Information//\\ This project was intended to bridge two Linux Foundation supported projects in SPDX and Yocto. It was also aimed at identifying upstream open source projects that could help the distribution of the SPDX documents. A critical component of the SPDX standard is its production and consumption in software supply chains. Upstream projects offer considerable potential in large scale, albeit data poor, SPDX documents. Work on the Yocto+SPDX project would continue to refine the systems by which SPDX documents are built during automated build processes. Available Mentor: Matt Germonprez\\ \\