English | 简体中文
SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.
Feature
- Collect source code engineering information, including warehouse address, version information, etc.
- Collect and generate code fingerprints
- Collecting engineering construction depends on environmental information
- Collect the dependent components built by the project
- Collect the final artifact package information
- Collect artifact content information, including file name type, check code, etc.
SBOM document
- Assemble SBOM documents
- Standard format conversion,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
- Canonical format check,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
Code fingerprint generation ability
language |
Is it supported |
C/C++ |
yes |
Java |
yes |
C# |
yes |
Dart |
yes |
Golang |
yes |
Javascript |
yes |
Objective-C |
yes |
Php |
yes |
Python |
yes |
Ruby |
yes |
Rust |
yes |
Swift |
yes |
Lua |
yes |
Dependent packet scanning capability
Configuration file parsing and binary package parsing related to the following programming languages are now supported, and more programming languages will be supported step by step.
Package Type |
Package Manager |
Parsing file |
support dependency graph |
maven |
Maven |
pom.xml *.jar *.war [graph]maven-dependency-tree.txt(mvn dependency:tree -DoutputFile=maven-dependency-tree.txt)
|
yes |
maven |
Gradle |
*.gradle .gradle.lockfile [graph]gradle-dependency-tree.txt(gradlew gradle-baseline-java:dependencies > gradle-dependency-tree.txt)
|
yes |
conan |
Conan |
conanfile.txt conan.lock [graph]conan-graph-info.json(conan graph info -f json > conan-graph-info.json)
|
yes |
npm |
NPM |
package.json package-lock.json
|
no |
npm |
Yarn |
|
yes |
npm |
PNPM |
|
yes |
golang |
Go Module |
go.mod Go Binary file [graph]go-mod-graph.txt(go mod graph > go-mod-graph.txt)
|
yes |
golang |
Glide |
|
no |
golang |
GoDep |
|
no |
golang |
Dep |
|
no |
golang |
GVT |
|
no |
pypi |
PIP |
Pipfile.lock *dist-info/METADATA PKG-INFO *requirements*.txt setup.py [graph]pipenv-graph.txt(pipenv graph > pipenv-graph.txt)
|
yes |
pypi |
Poetry |
|
yes |
conda |
Conda |
environment.yml environment.yaml package-list.txt
|
no |
composer |
Composer |
composer.json composer.lock
|
no |
cargo |
Cargo |
Cargo.toml [graph]Cargo.lock Rust Binary file
|
yes |
carthage |
Carthage |
Cartfile Cartfile.resolved
|
no |
swift |
SwiftPM |
|
no |
cocoapods |
Cocoapods |
Podfile.lock Podfile *.podspec
|
yes |
gem |
Gem |
-
[graph]Gemfile.lock Gemfile *.gemspec
|
yes |
nuget |
NuGet |
[graph]*.deps.json *.csproj *.vbproj *.fsproj *.vcproj *.nuget.dgspec.json *.nuspec packages.json packages.lock.json
|
yes |
pub |
Pub |
[graph]pub-deps.json(dart pub deps --json > pub-deps.json) pubspec.lock pubspec.yaml
|
yes |
rpm |
RPM |
|
no |
lua |
LuaRocks |
|
no |
bower |
Bower |
|
no |
Architecture
Installation
- Download source code compilation(
go 1.18
or above is required)
git clone git@gitee.com:JD-opensource/sbom-tool.git
cd sbom-tool
make
Generate program binaries for various system architectures by default
- Linux X86_64:sbom-tool-linux-amd64
- Linux arm64:sbom-tool-linux-arm64
- Windows X86_64:sbom-tool-windows-amd64.exe
- Windows arm64:sbom-tool-windows-arm64.exe
- MacOS amd64: sbom-tool-darwin-amd64
- MacOS arm64: sbom-tool-darwin-arm64
Subcommands
subcommand |
function |
help |
Help about any command |
artifact |
collect artifact information |
assembly |
assembly sbom document from document segments |
completion |
Generate the autocompletion script for the specified shell |
convert |
convert sbom document format |
env |
build environment info |
fingerprint |
generate code fingerprint |
generate |
generate sbom document |
package |
collect package dependencies |
source |
collect source code information |
validate |
validate sbom document format |
info |
get tool introduction information |
modify |
modify sbom document properties |
Parameter description
Parameters |
Short parameter |
describe |
Use exampl |
--log-level |
|
log level (debug 、info 、warn 、error ) |
--log-level info |
--log-path |
|
log output path (default "$home/sbom-tool/sbom-tool.log") |
--log-path /tmp/sbom.log |
--quiet |
-q |
no console output |
--quiet
-q |
--ignore-dirs |
|
dirs to ignore, skip all dot dirs, split by comma. sample: node_modules,logs |
--ignore-dirs log,logs |
--language |
-l |
programming language (Currently supported:java ,cpp )(Default “*”) |
--language java
-l cpp |
--parallelism |
-m |
number of parallelism(Default 8 ) |
--parallelism 4
-m 9 |
--output |
-o |
output file,The result file is produced in the current directory by default. |
--output /tmp/sbom.json |
--src |
-s |
project source directory(use project root if empty) (default ".") |
--src /tmp/sbomtool/src/ |
--path |
-p |
Specify the project project home directory; the assemble subcommand is used to specify the temporary document path for each phase |
--path /tmp/sbomtool/ |
--dist |
-d |
distribution directory (default ".") |
--dist /tmp/sbomtool/bin/ |
--format |
-f |
Specify SBOM document format(Currently supported:xspdx-json 、spdx-json 、spdx-tagvalue )(Default spdx-json ) |
--format xspdx-json
-f spdx-json |
--input |
-i |
Specify the SBOM document as input |
--input /tmp/sbom.jsom |
specification |
format |
SBOM document format |
status |
XSPDX |
JSON |
xspdx-json |
Supported |
SPDX |
JSON |
spdx-json |
Supported |
SPDX |
TagValue |
spdx-tagvalue |
Supported |
User guide
Generate code fingerprints only based on the source code path
sbom-tool fingerprint -m 4 -s ${src_path} -o fingerprint.json --ignore-dirs .git
Generate an SBOM document and specify the format
sbom-tool generate -m 4 -p ${project_path} -s ${src_path} -d ${dist_path} -o sbom.spdx.json -f spdx-json --ignore-dirs .git -n ${name} -v ${version} -u ${supplier} -b ${namespace}
Get tool introduction information
sbom-tool info
See document for details.
Development guide
See for details Development guide documentation
If you encounter problems in use, you are welcome to submit ISSUE to us.
How to Contribute
SBOM-TOOL is a open source software component analysis tool, look forward to your contribution.
License
This project is licensed under MulanPSL2 - see the LICENSE file for details.