Create a dependency graph of the components within a SBOM

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Project description

SBOM2DOT

SBOM2DOT generates a dependency graph of the components within an SBOM (Software Bill of Materials). The format of the graph file is compatible with the DOT language used by the GraphViz application. SBOMs are supported in a number of formats including SPDX and CycloneDX.

Installation

To install use the following command:

pip install sbom2dot

Alternatively, just clone the repo and install dependencies using the following command:

pip install -U -r requirements.txt

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which allows you to have all the dependencies for the tool set up in a single environment, or have different environments set up for testing using different versions of Python.

Usage

usage: sbom2dot [-h] [-i INPUT_FILE] [--debug] [-o OUTPUT_FILE] [-V]

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -i INPUT_FILE, --input-file INPUT_FILE
                        Name of SBOM file

Output:
  --debug               add debug information
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)

Operation

The --input-file option is used to specify the SBOM to be processed. The format of the SBOM is determined according to the following filename conventions.

SBOM	Format	Filename extension
SPDX	TagValue	.spdx
SPDX	JSON	.spdx.json
SPDX	YAML	.spdx.yaml
SPDX	YAML	.spdx.yml
CycloneDX	JSON	.json

The --output-file option is used to control the destination of the output generated by the tool. The default is to report to the console but it can be stored in a file (specified using --output-file option). The format of the file is compatible with the DOT language used by the GraphViz application.

Example

Given the following SBOM (flask.spdx)

SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: flask
DocumentNamespace: http://spdx.org/spdxdocs/flask-529abb33-fcd0-4d40-9de8-38e97ff00df9
LicenseListVersion: 3.18
Creator: Tool: sbom4python-0.7.0
Created: 2023-01-27T16:16:26Z
CreatorComment: <text>This document has been automatically generated.</text>

PackageName: flask
SPDXID: SPDXRef-Package-1-flask
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/flask@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:flask:2.2.2:*:*:*:*:*:*:*

PackageName: click
SPDXID: SPDXRef-Package-2-click
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 8.0.3
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/click@8.0.3
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:click:8.0.3:*:*:*:*:*:*:*

PackageName: itsdangerous
SPDXID: SPDXRef-Package-3-itsdangerous
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/itsdangerous@2.1.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:itsdangerous:2.1.2:*:*:*:*:*:*:*

PackageName: jinja2
SPDXID: SPDXRef-Package-4-jinja2
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 3.0.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jinja2@3.0.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.0.2:*:*:*:*:*:*:*

PackageName: markupsafe
SPDXID: SPDXRef-Package-5-markupsafe
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:markupsafe:2.1.1:*:*:*:*:*:*:*

PackageName: werkzeug
SPDXID: SPDXRef-Package-6-werkzeug
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/werkzeug@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:werkzeug:2.2.2:*:*:*:*:*:*:*
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-flask
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-2-click
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-3-itsdangerous
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-4-jinja2
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-6-werkzeug
Relationship: SPDXRef-Package-4-jinja2 DEPENDS_ON SPDXRef-Package-5-markupsafe
Relationship: SPDXRef-Package-6-werkzeug DEPENDS_ON SPDXRef-Package-5-markupsafe

The following commands will generate the dependency graph for the SBOM in PNG format.

sbom2dot --input flask.spdx --output flask.dot
dot -Tpng -o flask.png flask.dot

Dependency Graph

Licence

Licenced under the Apache 2.0 Licence.

Limitations

The tool has the following limitations

No output will be generated if there are no relationships defined in the SBOM.
SBOMs in RDF (SPDX) and XML (SPDX and CycloneDX) formats are not supported.
Invalid SBOMs will result in unpredictable results.
The generated dependency graph is likely to be unreadable with a large number of relationships.

Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

Project details

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

0.3.0

Jul 24, 2023

0.2.1

Mar 27, 2023

0.2.0

Mar 7, 2023

0.1.0

Jan 30, 2023

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

sbom2dot-0.3.0-py2.py3-none-any.whl (6.3 kB view hashes)

Uploaded Jul 24, 2023 Python 2 Python 3

Hashes for sbom2dot-0.3.0-py2.py3-none-any.whl

Hashes for sbom2dot-0.3.0-py2.py3-none-any.whl
Algorithm	Hash digest
SHA256	`58e368fb68abc027d0f823e64b41daadad2440243c6541a5ffa9e87c1f611870`
MD5	`becb10054400ef8e321639744adf2c73`
BLAKE2b-256	`1c4acbecbed3088232957429969f7719989d36d70c49f952b0f09daf43cb5267`