README
¶
SBOM-TOOL
English | 简体中文
SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.
Feature
Information collection
- Collect source code engineering information, including warehouse address, version information, etc.
- Collect and generate code fingerprints
- Collecting engineering construction depends on environmental information
- Collect the dependent components built by the project
- Collect the final artifact package information
- Collect artifact content information, including file name type, check code, etc.
SBOM document
- Assemble SBOM documents
- Standard format conversion,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
- Canonical format check,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
Code fingerprint generation ability
| language | Is it supported |
|---|---|
C/C++ |
yes |
Java |
yes |
C# |
yes |
Dart |
yes |
Golang |
yes |
Javascript |
yes |
Objective-C |
yes |
Php |
yes |
Python |
yes |
Ruby |
yes |
Rust |
yes |
Swift |
yes |
Lua |
yes |
Dependent packet scanning capability
Configuration file parsing and binary package parsing related to the following programming languages are now supported, and more programming languages will be supported step by step.
| Package Type | Package Manager | Parsing file | support dependency graph |
|---|---|---|---|
maven |
Maven |
|
yes |
maven |
Gradle |
|
yes |
conan |
Conan |
|
yes |
npm |
NPM |
|
no |
npm |
Yarn |
|
yes |
npm |
PNPM |
|
yes |
golang |
Go Module |
|
yes |
golang |
Glide |
|
no |
golang |
GoDep |
|
no |
golang |
Dep |
|
no |
golang |
GVT |
|
no |
pypi |
PIP |
|
yes |
pypi |
Poetry |
|
yes |
conda |
Conda |
|
no |
composer |
Composer |
|
no |
cargo |
Cargo |
|
yes |
carthage |
Carthage |
|
no |
swift |
SwiftPM |
|
no |
cocoapods |
Cocoapods |
|
yes |
gem |
Gem |
|
yes |
nuget |
NuGet |
|
yes |
pub |
Pub |
|
yes |
rpm |
RPM |
|
no |
lua |
LuaRocks |
|
no |
bower |
Bower |
|
no |
Architecture
Installation
- Download source code compilation(
go 1.18or above is required)
Generate program binaries for various system architectures by defaultgit clone git@gitee.com:JD-opensource/sbom-tool.git cd sbom-tool make- Linux X86_64:sbom-tool-linux-amd64
- Linux arm64:sbom-tool-linux-arm64
- Windows X86_64:sbom-tool-windows-amd64.exe
- Windows arm64:sbom-tool-windows-arm64.exe
- MacOS amd64: sbom-tool-darwin-amd64
- MacOS arm64: sbom-tool-darwin-arm64
Subcommands
| subcommand | function |
|---|---|
help |
Help about any command |
artifact |
collect artifact information |
assembly |
assembly sbom document from document segments |
completion |
Generate the autocompletion script for the specified shell |
convert |
convert sbom document format |
env |
build environment info |
fingerprint |
generate code fingerprint |
generate |
generate sbom document |
package |
collect package dependencies |
source |
collect source code information |
validate |
validate sbom document format |
info |
get tool introduction information |
modify |
modify sbom document properties |
Parameter description
| Parameters | Short parameter | describe | Use exampl |
|---|---|---|---|
--log-level |
log level (debug、info、warn、error) |
--log-level info |
|
--log-path |
log output path (default "$home/sbom-tool/sbom-tool.log") | --log-path /tmp/sbom.log |
|
--quiet |
-q |
no console output | --quiet -q |
--ignore-dirs |
dirs to ignore, skip all dot dirs, split by comma. sample: node_modules,logs | --ignore-dirs log,logs |
|
--language |
-l |
programming language (Currently supported:java,cpp)(Default “*”) |
--language java -l cpp |
--parallelism |
-m |
number of parallelism(Default 8) |
--parallelism 4 -m 9 |
--output |
-o |
output file,The result file is produced in the current directory by default. | --output /tmp/sbom.json |
--src |
-s |
project source directory(use project root if empty) (default ".") | --src /tmp/sbomtool/src/ |
--path |
-p |
Specify the project project home directory; the assemble subcommand is used to specify the temporary document path for each phase | --path /tmp/sbomtool/ |
--dist |
-d |
distribution directory (default ".") | --dist /tmp/sbomtool/bin/ |
--format |
-f |
Specify SBOM document format(Currently supported:xspdx-json、spdx-json、spdx-tagvalue )(Default spdx-json) |
--format xspdx-json -f spdx-json |
--input |
-i |
Specify the SBOM document as input | --input /tmp/sbom.jsom |
SBOM Document specification and format
| specification | format | SBOM document format | status |
|---|---|---|---|
XSPDX |
JSON |
xspdx-json |
Supported |
SPDX |
JSON |
spdx-json |
Supported |
SPDX |
TagValue |
spdx-tagvalue |
Supported |
User guide
Generate code fingerprints only based on the source code path
sbom-tool fingerprint -m 4 -s ${src_path} -o fingerprint.json --ignore-dirs .git
Generate an SBOM document and specify the format
sbom-tool generate -m 4 -p ${project_path} -s ${src_path} -d ${dist_path} -o sbom.spdx.json -f spdx-json --ignore-dirs .git -n ${name} -v ${version} -u ${supplier} -b ${namespace}
Get tool introduction information
sbom-tool info
See document for details.
Development guide
See for details Development guide documentation
Problem feedback & contact us
If you encounter problems in use, you are welcome to submit ISSUE to us.
How to Contribute
SBOM-TOOL is a open source software component analysis tool, look forward to your contribution.
License
This project is licensed under MulanPSL2 - see the LICENSE file for details.
Directories
Click to show internal directories.
Click to hide internal directories.