A modern C# library for working with SPDX (Software Package Data Exchange) documents. This library provides a comprehensive in-memory model for reading, manipulating, and writing SPDX Software Bill of Materials (SBOM) files.
- 🚀 Full SPDX 2.2 and 2.3 Support - Complete implementation of SPDX specifications
- 📦 In-Memory Model - Efficient object model for SPDX documents
- 🔄 JSON Serialization - Read and write SPDX documents in JSON format
- 🎯 Type-Safe - Strongly-typed C# API with nullable reference types
- 🔍 Transform Support - Built-in utilities for manipulating SPDX relationships
- ⚡ Multi-Target - Supports .NET 8, 9, and 10
- 🧪 Well-Tested - Comprehensive test suite with high code coverage
- 📚 Well-Documented - XML documentation for all public APIs
Install the package via NuGet:
dotnet add package DemaConsulting.SpdxModelOr via the Package Manager Console:
Install-Package DemaConsulting.SpdxModelusing DemaConsulting.SpdxModel;
using DemaConsulting.SpdxModel.IO;
// Read SPDX document from JSON
var json = File.ReadAllText("sbom.spdx.json");
var document = Spdx2JsonDeserializer.Deserialize(json);
// Access document properties
Console.WriteLine($"Document: {document.Name}");
Console.WriteLine($"Version: {document.Version}");
Console.WriteLine($"Packages: {document.Packages.Length}");using DemaConsulting.SpdxModel;
using DemaConsulting.SpdxModel.IO;
// Create a new SPDX document
var document = new SpdxDocument
{
Id = "SPDXRef-DOCUMENT",
Name = "My Software",
Version = "SPDX-2.3",
DocumentNamespace = "https://example.com/my-software",
CreationInformation = new SpdxCreationInformation
{
Created = DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ssZ"),
Creators = ["Tool: MyTool-1.0"]
},
Packages =
[
new SpdxPackage
{
Id = "SPDXRef-Package",
Name = "MyPackage",
Version = "1.0.0",
DownloadLocation = "https://example.com/package",
FilesAnalyzed = false,
LicenseConcluded = "MIT",
LicenseDeclared = "MIT",
CopyrightText = "Copyright (c) 2024 Example Corp"
}
]
};
// Serialize to JSON
var json = Spdx2JsonSerializer.Serialize(document);
File.WriteAllText("output.spdx.json", json);using DemaConsulting.SpdxModel;
using DemaConsulting.SpdxModel.Transform;
// Add relationships to a document
var relationship = new SpdxRelationship
{
Id = "SPDXRef-DOCUMENT",
RelationshipType = SpdxRelationshipType.Describes,
RelatedSpdxElement = "SPDXRef-Package"
};
SpdxRelationships.Add(document, relationship);
// Get root packages from a document
var rootPackages = document.GetRootPackages();SpdxDocument- Represents an SPDX documentSpdxPackage- Represents a software packageSpdxFile- Represents a fileSpdxSnippet- Represents a code snippetSpdxRelationship- Represents relationships between elementsSpdxCreationInformation- Document creation metadata
Spdx2JsonSerializer- Serialize SPDX documents to JSONSpdx2JsonDeserializer- Deserialize SPDX documents from JSON
SpdxRelationships- Utilities for managing relationships
- API Documentation - Detailed API reference
- Contributing Guide - How to contribute to the project
- Code of Conduct - Community guidelines
- Security Policy - Security vulnerability reporting
- AGENTS.md - Instructions for AI coding agents
- .NET 8.0, 9.0, or 10.0
- C# 12 or later
# Clone the repository
git clone https://github.com/demaconsulting/SpdxModel.git
cd SpdxModel
# Restore tools
dotnet tool restore
# Build
dotnet build
# Run tests
dotnet testdotnet test --collect:"XPlat Code Coverage;Format=opencover"We welcome contributions! Please see our Contributing Guide for details on:
- Setting up your development environment
- Coding standards and guidelines
- Submitting pull requests
- Reporting bugs and requesting features
This project is licensed under the MIT License - see the LICENSE file for details.
- 📫 Issues: GitHub Issues
- 💬 Discussions: GitHub Discussions
- SPDX Specification - Official SPDX specification
- spdx-tool - Command-line tool for working with SPDX documents
This project follows the SPDX specification maintained by the Linux Foundation.
Made with ❤️ by DEMA Consulting