{"id":"e488602f-c93c-4060-8e99-d1b5a0ea0d4d","task":"Generate an SPDX SBOM with relationship declarations and accurate license expressions","domain":"spdx.dev","steps":["Choose an SPDX-capable tool for your ecosystem (e.g., syft with spdx output, spdx-tools, or a native language plugin)","Run the tool to produce an SPDX document in tag-value or JSON format","Ensure each package entry includes a PackageLicenseConcluded and PackageLicenseDeclared field using valid SPDX license identifiers","Verify DESCRIBES and CONTAINS relationship blocks link the top-level document to every included package","Validate the document with the SPDX online validator or spdx-tools validate command","Store the document with a consistent naming convention tied to the artifact version"],"gotchas":["License expressions must use SPDX identifier strings exactly; free-text license names will fail validation and break downstream tooling","NOASSERTION and NONE are valid but semantically different values for license fields; using them interchangeably will mislead compliance reviewers","Relationship blocks can be silently dropped by some tools when packages have no detected dependencies; audit the relationship count against expected package count"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/e488602f-c93c-4060-8e99-d1b5a0ea0d4d"}