sbomac 0.1.0

Simple SBOM generator

SBOMac

The SBOMac is a free, open source tool to generate a SBOM (Software Bill of Materials) from a simple YAML in a number of formats including SPDX and CycloneDX.

The YAML can specify hardware, software applications and service elements. The dependencies between the elements is indicated by the structure of the YAML file.

Installation

To install use the following command:

pip install sbomac

Alternatively, just clone the repo and install dependencies using the following command:

pip install -U -r requirements.txt

The tool requires Python 3 (3.9+). It is recommended to use a virtual python environment especially if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which allows you to have all the dependencies for the tool set up in a single environment, or have different environments set up for testing using different versions of Python.

Usage

usage: sbomac [-h] [-i INPUT_FILE] [--name NAME] [-d] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [--type {design,source,build}] [-o OUTPUT_FILE] [-V]

SBOMac generates a Software Bill of Materials for the items specified in a simple YAML file. Different types of SBOMs can be generated based on the content.

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -i INPUT_FILE, --input-file INPUT_FILE
                        identity of sbom definition file
  --name NAME           specify name of system

Output:
  -d, --debug           add debug information
  --sbom {spdx,cyclonedx}
                        specify type of sbom to generate (default: spdx)
  --format {tag,json,yaml}
                        specify format of software bill of materials (sbom) (default: tag)
  --type {design,source}
                        specify type of software bill of materials (sbom) to create (default: design)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)

Operation

The --name option is used to identify the name of the system or application which the SBOM represents. This parameter is mandatory.

The --input-file option is used to specify the name of the YAML file containing the definition of the system or application. This parameter is mandatory.

The --type option is used to specify the type of of the generated SBOM (the default is 'Design'). This option is used to specify the lifecycle which the YAML file represents.

The --sbom option is used to specify the format of the generated SBOM (the default is SPDX). The --format option can be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both SPDX and CycloneDX SBOMs).

The --output-file option is used to control the destination of the output generated by the tool. The default is to report to the console but can be stored in a file (specified using --output-file option).

YAML file format

The format of the YAML file is as follows:

# Example yaml file
name: Design SBOM
version: 1.0
summary: This is an example for creating a design SBOM
author: APH
email: aph@aph10.com
supplier: ACME Inc
element:
- name: Payment System
  type: system
  element:
    - name: Platform
      type: hardware
      element:
      - name: Network
        type: hardware
        description: 10GB
      - name: Storage
        type: hardware
        description: At least 500GB
      - name: Memory
        type: hardware
        description: At least 64GB
    - name: OS
      type: operating_system
      description: An embedded OS
      element:
      - name: Database
        type: application
        description: A SQL database
        product: SQLlite
        comment: Version should be at least 3.0
      - name: Awesome Application
        type: software
        description: A payment processor
        element:
        - name: Payment Service
          type: service
          vendor: Stripe
          description: An external service provider

The file consists of some file metadata (name, version, summary) together with deatils of the author, email address and the supplier.

Elements are indicated by the element item. An element can have the following attributes

• name. This is the name of the element. This is mandatory.
• type. This is the type of element. This is mandatory. Valid types are 'system', 'hardware', 'software', 'application', 'operating-system', 'service', 'file'.
• description. This is a brief description of the element being defined.
• version. This is used where a specific version of the element can be identified.
• vendor. This is the provider of the element.
• comment. This is used to provide any other supporting information to be included in the generated SBOM.

The hieracrchy of depedencies is indicated by approaiate indentation of the elements within the YAML file.

Licence

Licenced under the Apache 2.0 Licence.

The tool uses a local copy of the SPDX Licenses List which is released under Creative Commons Attribution 3.0 (CC-BY-3.0).

Limitations

This tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the data which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool are therefore reminded that they should assert the quality of any data which is provided to the tool.

When processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct SPDX License Identifiers. However, the user of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.

Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.