SBOM generator for Python modules
Project description
SBOM2DOC
SBOM2DOC documents and summarises the components within an SBOM (Software Bill of Materials). SBOMS are supported in a number of formats including SPDX and CycloneDX.
Installation
To install use the following command:
pip install sbom2doc
Alternatively, just clone the repo and install dependencies using the following command:
pip install -U -r requirements.txt
The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. virtualenv
is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
Usage
usage: sbom2doc [-h] [-i INPUT_FILE] [--debug] [-f {console,markdown,pdf}] [-o OUTPUT_FILE] [-V]
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
-i INPUT_FILE, --input-file INPUT_FILE
Name of SBOM file
Output:
--debug add debug information
-f {console,markdown,pdf}, --format {console,markdown,pdf}
Output format (default: output to console)
-o OUTPUT_FILE, --output-file OUTPUT_FILE
output filename (default: output to stdout)
Operation
The --input-file
option is used to specify the SBOM to be processed. The format of the SBOM is determined according to
the following filename conventions.
SBOM | Format | Filename extension |
---|---|---|
SPDX | TagValue | .spdx |
SPDX | JSON | .spdx.json |
SPDX | YAML | .spdx.yaml |
SPDX | YAML | .spdx.yml |
CycloneDX | JSON | .json |
The --output-file
option is used to control the destination of the output generated by the tool. The
default is to report to the console but it can be stored in a file (specified using --output-file
option).
Example
Given the following SBOM (flask.spdx)
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: flask
DocumentNamespace: http://spdx.org/spdxdocs/flask-529abb33-fcd0-4d40-9de8-38e97ff00df9
LicenseListVersion: 3.18
Creator: Tool: sbom4python-0.7.0
Created: 2023-01-27T16:16:26Z
CreatorComment: <text>This document has been automatically generated.</text>
PackageName: flask
SPDXID: SPDXRef-Package-1-flask
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/flask@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:flask:2.2.2:*:*:*:*:*:*:*
PackageName: click
SPDXID: SPDXRef-Package-2-click
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 8.0.3
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/click@8.0.3
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:click:8.0.3:*:*:*:*:*:*:*
PackageName: itsdangerous
SPDXID: SPDXRef-Package-3-itsdangerous
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/itsdangerous@2.1.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:itsdangerous:2.1.2:*:*:*:*:*:*:*
PackageName: jinja2
SPDXID: SPDXRef-Package-4-jinja2
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 3.0.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jinja2@3.0.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.0.2:*:*:*:*:*:*:*
PackageName: markupsafe
SPDXID: SPDXRef-Package-5-markupsafe
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:markupsafe:2.1.1:*:*:*:*:*:*:*
PackageName: werkzeug
SPDXID: SPDXRef-Package-6-werkzeug
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/werkzeug@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:werkzeug:2.2.2:*:*:*:*:*:*:*
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-flask
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-2-click
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-3-itsdangerous
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-4-jinja2
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-6-werkzeug
Relationship: SPDXRef-Package-4-jinja2 DEPENDS_ON SPDXRef-Package-5-markupsafe
Relationship: SPDXRef-Package-6-werkzeug DEPENDS_ON SPDXRef-Package-5-markupsafe
The following commands will generate a summary of the contents of the SBOM to the console.
sbom2doc --input flask.spdx
╭──────────────╮
│ SBOM Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Item ┃ Details ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━┩
│ SBOM File │ /tmp/flask.spdx │
│ SBOM Type │ spdx │
│ Version │ SPDX-2.2 │
│ Name │ flask │
│ Creator │ Tool:sbom4python-0.7.0 │
│ Created │ 2023-01-30T18:10:18Z │
│ Files │ 0 │
│ Packages │ 6 │
│ Relationships │ 7 │
└───────────────┴────────────────────────┘
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ Name ┃ Version ┃ Supplier ┃ License ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ flask │ 2.2.2 │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ click │ 8.0.3 │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ itsdangerous │ 2.1.2 │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ jinja2 │ 3.0.2 │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ markupsafe │ 2.1.1 │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ werkzeug │ 2.2.2 │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
└──────────────┴─────────┴──────────────────────────────────────────────┴──────────────┘
╭─────────────────╮
│ License Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━┓
┃ License ┃ Count ┃
┡━━━━━━━━━━━━━━╇━━━━━━━┩
│ BSD-3-Clause │ 6 │
└──────────────┴───────┘
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┓
┃ Element ┃ Status ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━┩
│ All file information provided? │ True │
│ All package information provided? │ True │
│ Creator identified? │ True │
│ Creation time identified? │ True │
│ Dependency relationships provided? │ True │
└────────────────────────────────────┴────────┘
NTIA conformant True
Licence
Licenced under the Apache 2.0 Licence.
Limitations
The tool has the following limitations
-
SBOMs in RDF (SPDX) and XML (SPDX and CycloneDX) formats are not supported.
-
Invalid SBOMs will result in unpredictable results.
Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for sbom2doc-0.1.1-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d4519a587cde04a6d62809a8443373c0d0dd888ff5bc1675b4b6ca9025fb04f6 |
|
MD5 | 7bc443365d75e6d2d7ad9bd335a42dcc |
|
BLAKE2b-256 | d6be49286072ab121803e9ffd951929e58140d0c10e150cfa6882975d26030cd |