A tool for generating and managing Software Bill of Materials (SBOM).

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for araszka from gravatar.com araszka

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Ales Raszka
  • Tags sbom , spdx , cyclonedx , security
  • Requires: Python <4.0, >=3.10
Classifiers
Report project as malware

Project description

Mobster

The Mobster project is a Python-based tool and ecosystem to work with SBOM (Software Bill of Materials) documents. Its goal is to provide unified interface for generating, manipulating and consuming SBOM documents in various formats.

The tools is designed to cover a whole lifecycle of SBOM documents. The major stages are:

  • Generation: Generate SBOMs document from various sources (Syft, Hermeto, etc.)
  • Augmentation: Augment SBOM documents with additional information that are not present in the phase of generation. This phase is usually done in the release phase where we know more information about the software.
  • Validation: Validate a quality of the SBOM document in different stages of the lifecycle. The validation is done by the Product Security team guidelines.
  • Distribution: Distribute the SBOM document to various set of locations (e.g. Trusted Profile Analyzer, container registry, etc.)

Getting started

To use the Mobster tool, you need to install it first. There are multiple ways to isnstall the tool:

Using pip

pip install mobster
mobster --help

Using container image

podman pull quay.io/konflux-ci/mobster:latest
podman run -it quay.io/konflux-ci/mobster:latest mobster --help

Additional dependencies

Some features of Mobster require additional dependencies to be installed outside of Python ecosystem. To use those features, you need to install the following tools:

  • oras: Used for pushing and pulling SBOM documents to/from OCI registries.
  • cosign: Used for signing and verifying SBOM documents in OCI registries.
  • syft: Used for generating SBOM documents from container images and filesystems.

Development environment

Follow an instruction in the development-environment.md file to set up your development environment.

Contributing

We welcome contributions to the Mobster project! If you would like to contribute, please follow these steps:

  1. Fork the repository
  2. Create a new branch for your feature or bug fix
  3. Make your changes and commit them with a clear message (following the conventional commit format) (e.g. feat: add new feature or fix: fix a bug)
  4. Open a pull request to the main repository
  5. Make sure the CI checks pass and the code is properly formatted
  6. Wait for the review and address any comments or suggestions
  7. Once your changes are approved, they will be merged into the main branch
  8. Congratulations! You have successfully contributed to the Mobster project

Release process

The release process is automated using GitHub Actions and Konflux. The process is described in detail in the release.md file.

Documentation

The documentation for the Mobster project is available at the Mobster Gitbub pages.

License

This project is licensed under the Apache License 2.0. See the LICENSE file for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for araszka from gravatar.com araszka

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Ales Raszka
  • Tags sbom , spdx , cyclonedx , security
  • Requires: Python <4.0, >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

2.0.0

1.2.0

1.1.0

1.0.0

0.7.0

0.6.0

0.5.0

0.4.0

0.3.0

0.2.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mobster-2.0.0.tar.gz (105.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mobster-2.0.0-py3-none-any.whl (138.7 kB view details)

Uploaded Python 3

File details

Details for the file mobster-2.0.0.tar.gz.

File metadata

  • Download URL: mobster-2.0.0.tar.gz
  • Upload date:
  • Size: 105.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mobster-2.0.0.tar.gz
Algorithm Hash digest
SHA256 00e0d47df82ff319cf0efd28308c6425685e1fcf93a4cb4d08af70296ec1cbbc
MD5 f1232245fd84001371ec4cc7e97d2d78
BLAKE2b-256 2e1d83e6e71490d3cf58ac2e12152ac08501d0bfb60c87e8b99167d1316f1ba8

See more details on using hashes here.

Provenance

The following attestation bundles were made for mobster-2.0.0.tar.gz:

Publisher: release.yaml on konflux-ci/mobster

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file mobster-2.0.0-py3-none-any.whl.

File metadata

  • Download URL: mobster-2.0.0-py3-none-any.whl
  • Upload date:
  • Size: 138.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mobster-2.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a893d86c70f2f5287f064f50b72951722e8d58c2c53c4acd613573a54b72c354
MD5 7e4044f4aa3ad583e5f31350a0a531d2
BLAKE2b-256 cc6c41d8fed5bcb866f35b665e66e2b078f1da9945883367a9d6632919c15a3c

See more details on using hashes here.

Provenance

The following attestation bundles were made for mobster-2.0.0-py3-none-any.whl:

Publisher: release.yaml on konflux-ci/mobster

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page