Skip to content

Latest commit



26 lines (20 loc) · 1.3 KB

File metadata and controls

26 lines (20 loc) · 1.3 KB


Produce an Open Source Vulnerability JSON file based on information in an SPDX document


java -jar spdx-to-osv-with-dependencies.jar -I SpdxFile.spdx -O OSVOutput.json

where SpdxFile.spdx is an SPDX file in one of the following file extensions:

  • .json JSON SPDX format
  • .yaml YAML SPDX format
  • .spdx Tag/Value SPDX format
  • .rdf.xml, .rdf - RDF/XML SPDX format
  • .xlsx, .xls Spreadsheet SPDX format

Optional parameters:

  • -a,--all Include vulnerabilities for all packages in the SPDX file. Default is to only include vulnerabilities related to the element described by the document.
  • -f,--inputFormat <arg> Input file format - RDFXML, JSON, XLS, XLSX, YAML, or TAG

The utility produces an output file OSVOutput.json in the OSV JSON format

How it Works

The utility uses the OSV API's to query the OSV database using the following information if available:

  • Package name and version
  • CVE ExternalRef
  • Github download location if it includes a hash or version tag

Only vulnerabilities related to the SPDX element described by the document will be reported unless the --all option is used in which case vulnerabilities for all packages in the document will be provided.