A tool for generating and managing Software Bill of Materials (SBOM).

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for araszka from gravatar.com araszka

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Ales Raszka
  • Tags sbom , spdx , cyclonedx , security
  • Requires: Python <4.0, >=3.10
Classifiers
Report project as malware

Project description

Mobster

The Mobster project is a Python-based tool and ecosystem to work with SBOM (Software Bill of Materials) documents. Its goal is to provide unified interface for generating, manipulating and consuming SBOM documents in various formats.

The tools is designed to cover a whole lifecycle of SBOM documents. The major stages are:

  • Generation: Generate SBOMs document from various sources (Syft, Hermeto, etc.)
  • Augmentation: Augment SBOM documents with additional information that are not present in the phase of generation. This phase is usually done in the release phase where we know more information about the software.
  • Validation: Validate a quality of the SBOM document in different stages of the lifecycle. The validation is done by the Product Security team guidelines.
  • Distribution: Distribute the SBOM document to various set of locations (e.g. Trusted Profile Analyzer, container registry, etc.)

Getting started

To use the Mobster tool, you need to install it first. There are multiple ways to install the tool:

Using pip

pip install mobster
mobster --help

Using container image

podman pull quay.io/konflux-ci/mobster:latest
podman run -it quay.io/konflux-ci/mobster:latest mobster --help

Additional dependencies

Some features of Mobster require additional dependencies to be installed outside of Python ecosystem. To use those features, you need to install the following tools:

  • oras: Used for pushing and pulling SBOM documents to/from OCI registries.
  • cosign: Used for signing and verifying SBOM documents in OCI registries.
  • syft: Used for generating SBOM documents from container images and filesystems.

Usage

# Generate an SBOM for an OCI image (merging Syft and Hermeto outputs)
mobster generate --output sbom.json oci-image \
  --from-syft syft-sbom.json \
  --image-pullspec registry.example.com/repo:tag \
  --image-digest sha256:<digest>

# Augment SBOMs for all images in a snapshot
mobster augment --output sboms/ oci-image --snapshot snapshot.json

# Upload a single SBOM to Trusted Profile Analyzer
mobster upload tpa \
  --tpa-base-url https://your-tpa-instance.com \
  --file sbom.json

# See all available commands and options
mobster --help
mobster generate --help

Context within Konflux

Mobster is a tool used for creating both Build-time and Release-time SBOMs.

  • Build-time SBOM creation is invoked in konflux-ci/build-definitions repository.
  • Release-time SBOM creation is invoked through tekton tasks (in the tasks/ dir) that are distributed to and used in konflux-ci/release-service-catalog repository.
  • Build-time SBOMs can be contextualized. For builder-content contextualization, Mobster requires metadata output from konflux-ci/capo.

Contributing

See CONTRIBUTING.md for environment setup, running checks, and submitting a pull request.

Resources

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for araszka from gravatar.com araszka

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Ales Raszka
  • Tags sbom , spdx , cyclonedx , security
  • Requires: Python <4.0, >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

2.1.0

2.0.0

1.2.0

1.1.0

1.0.0

0.7.0

0.6.0

0.5.0

0.4.0

0.3.0

0.2.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mobster-2.1.0.tar.gz (111.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mobster-2.1.0-py3-none-any.whl (146.6 kB view details)

Uploaded Python 3

File details

Details for the file mobster-2.1.0.tar.gz.

File metadata

  • Download URL: mobster-2.1.0.tar.gz
  • Upload date:
  • Size: 111.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mobster-2.1.0.tar.gz
Algorithm Hash digest
SHA256 203f421afce458b29596b45b904aecf0678b3df391f4a29dac7979bc564f7e18
MD5 d1e8df1f65992c472abf9556a5dad655
BLAKE2b-256 3e8fbdc5bf9f8e5d461dbe9aad8f28516c0d11f1b7eecc24bc693f654a01306e

See more details on using hashes here.

Provenance

The following attestation bundles were made for mobster-2.1.0.tar.gz:

Publisher: release.yaml on konflux-ci/mobster

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file mobster-2.1.0-py3-none-any.whl.

File metadata

  • Download URL: mobster-2.1.0-py3-none-any.whl
  • Upload date:
  • Size: 146.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mobster-2.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e98daf08c0abe9d36de3e2670588090fd3036e288c1c0c824ea7b9fff2f0ffaf
MD5 dc43c5ecf5751173e652adbd53f79d4c
BLAKE2b-256 0c5abd9e659eb0be548cae52d0669b1138740263ccc87cc05cc862aeed4a6e66

See more details on using hashes here.

Provenance

The following attestation bundles were made for mobster-2.1.0-py3-none-any.whl:

Publisher: release.yaml on konflux-ci/mobster

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page