SBOMs quality validator for Open Source License Compliance.
Project description
OSSBOMER is a CLI tool designed to validate Software Bill of Materials (SBOMs) for quality, compliance, and metadata integrity. It supports SPDX and CycloneDX formats.
Features
License Validation: Checks components in the SBOM for blocked, weak-copyleft, or unknown licenses.
PURL Validation: Flags problematic Package URLs (PURLs) based on exact matches or regex patterns.
Schema Validation: Ensures SBOMs conform to their respective schema (SPDX or CycloneDX) and NTIA requirements.
Metadata Validation: Verifies the presence of essential metadata such as SPDX IDs and creation timestamps.
Dataset Management: - Updates license rules and package signatures from remote sources. - Provides an inventory of dataset versions.
Installation
Clone the repository:
git clone https://github.com/your-org/ossbomer.git cd ossbomerInstall the package:
pip install .Verify the installation:
ossbomer --help
Usage
Validate an SBOM
Validate an SBOM for quality and compliance:
ossbomer validate <path-to-sbom>Example
ossbomer validate samples/example-sbom.jsonOutput
* Checking licenses... Blocked license detected for component 'insecure-package': GPL-3.0 * Checking PURLs... Warning: Problematic PURL detected - pkg:deb/example-package@1.0.0?distro=debian * Validating schema and metadata... * Validation complete!
Update Datasets
Update license rules and package signatures from remote sources:
ossbomer updateOutput
Datasets updated successfully!
Show Version
Display the current version of OSSBOMER:
ossbomer versionView Dataset Inventory
Display an inventory of dataset files and their versions:
ossbomer inventoryLicense
OSSBOMER is licensed under the Apache-2.0 License. See the LICENSE file for details.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ossbomer-0.1.4.tar.gz.
File metadata
- Download URL: ossbomer-0.1.4.tar.gz
- Upload date:
- Size: 44.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.13.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b14be5545aa3f76200fe6271d642b6252e38b6f50097ce2d98586adfa62a6774
|
|
| MD5 |
a95ecc359548c47da1ed5cfc4d300f9c
|
|
| BLAKE2b-256 |
581b4ec3c002d8be05f10eaddefdd84e5fe74630a52d663e24f097132f736072
|
File details
Details for the file ossbomer-0.1.4-py3-none-any.whl.
File metadata
- Download URL: ossbomer-0.1.4-py3-none-any.whl
- Upload date:
- Size: 47.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.13.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
999142afe20703100e155302a6d29c03b7696a5d90924da60463cf645638d1a9
|
|
| MD5 |
1abe75b0fc162a093ec1db6ac3547c29
|
|
| BLAKE2b-256 |
7bccfe93f1286c14cc0e515799d7453d14252eccc255286413f08bd5913f9921
|
