[🐛] SPDX output only reports vulnerabilities

[hectorj2f]

• node -v:
• npm -v:
• OS: (e.g. Linux,, ...)
• Command run: (e.g. snyk2spdx ..., ...)

Expected behaviour

Please share expected behaviour.
I would expect the rest of SPDX fields to be populated instead of only the vulnerabilities.

Actual behaviour

SPDX output only populates the vulnerabilities field of SPDX 3.0.

[lili2311]

hi @hectorj2f, thanks for you request, at the time of building this the spec for very much in progress and had missing/ undocumented fields so these are not present today.
This repo has not been updated since, I am checking internally if there are any plans to evolve this projects and will share back your feedback.

[hectorj2f]

I am checking internally if there are any plans to evolve this projects and will share back your feedback.

Thanks @lili2311. That would help us to get some expectations.

[lili2311]

Hi @hectorj2f

This tool is a look ahead at the new vulnerability extension in the WIP SPDX v3 spec

We’re building out a new API for Snyk at the moment, and working on where this will utilise various emerging standards
This will include issues from Snyk Open Source projects, where SPDX + the vulnerability extension is relevant
We have have an API in the works for grabbing the dependency information in standard formats as well, starting with CycloneDX, but we’ll be adding support for SPDX as well

If you want to chat about this talk to your Snyk contact who can grab someone from the product team to talk more

[hectorj2f]

@lili2311 Thanks for the update. We are currently using this tool. We are definitely interested on any more stable service that could provide similar functionalities.