(no title)

Try ORT https://github.com/oss-review-toolkit/ort (full disclosure I am one of its maintainers and also the lead of the SPDX Defects/Security Profile).

If people have questions on SBOMs, comparing SCA/SBOM tools or ORT - feel free to reach out to me https://github.com/tsteenbe/

ORT plug below ;-)

ORT is much more than a SBOM generator though, it's a cli/library that enables you to safely use, integrate, modify and redistribute third party software including FOSS.

You can use ORT to:

1. Generate CycloneDX or SPDX SBOMs for your software project

2. Automate your FOSS policy using Policy as Code to do licensing, security vulnerabilities and engineering standards checks for your software project and its dependencies

3. Correct found invalid or missing package metadata (licensing, source location, etc.) and license findings in the sources of your software project and its dependencies

4. Overwrite scanner license findings in the sources of your software project and its dependencies

5. Mark files, directories or or package manager scopes as not included in your software project or dependency released artifacts - use it to make clear that license findings in build scripts, documentation or tests in a package sources do not apply to the release (binary) artifact

6. Create a source code archive for your software project, including its dependencies to comply with certain license or have your own copy as nothing on the internet is forever

ORT is being built by Open Source Program Offices from Bosch, EPAM, HERE and others for several years who got frustrated with the state of SCA/SBOM tools not being able to support license compliance properly and the 30+ build tools you can find in a lot of large organizations.

To get started with ORT on your local machine I recommend using https://github.com/oss-review-toolkit/orthw/.