Skip to main content

SBOM tools

Project description

Welcome to sbomtools

WARNING

This package is early in development. May cause warts or indigestion. Save your work. Interfaces subject to change without notice.

This package contains a handful of routines to search and update SBOMs. JSON versions of both CycloneDX and SPDX are supported.

Building

  1. Bop the version on setup.cfg
  2. python3 -m build -w
  3. cd dist
  4. pip3 install that file

Usage

sbomls

usage: sbomls [-h] [-j] [-1] -f FILENAME [components ...]

Where-

  • -j produces JSON entries that match. The JSON will be of the appropriate form for a component for CycloneDX or a package for SPDX.
  • -1 produces a single entry per line. Otherwise, a tabbed list is produced a'la ls(1).
  • -f is the filename of the SBOM to use. Format is automatically detected.
  • one or more components may optionally be named. Wildcards are permitted.

Returns a list of matching components (or all).

sbomgrep

% sbomgrep [-j] search-string [file [file...]]

Results are similar to grep. If no file is specified, stdin will be used.

To search from python

from sbomtools import sbom_grep

from sbom tools import sbom_grep
results= sbom_grep(filename, searchstr,file_pointer, want_json = True)

Where

  • filename is nothing more than a strong for search results. This is done simply to emulate grep behavior fro pretty printing.
  • searchstr is a regex, sbom is a JSON format of an SBOM, and
  • file_pointer is the successful result of open() or sys.stdin
  • want_json is whether you want the entire entry for each result.

The function will automatically detect the input format.

results is either a printable string of results or (sbom_type,jsonstring) where SBOM type is either sbomtools.FORMAT_CDX or sbomtools.FORMAT_SPDX.

sbomupdate

This routine updates an SBOM file by adding a single entry. Again, it will do this for both SPDX and CycloneDx. For CycloneDX both the components and refs are updated. For SPDX, products, relationships, and documentDescribes are updated. N.B., SPDX takes as input dependencies by short name. You don't need to enter the SPDXID.

usage: sbomupdate.py [-h] -f FILENAME -n NAME -v VERSION [-s SUPPLIER] [-e EMAIL] [-u URL]
                 [--sha256 SHA256] [--sha1 SHA1] [--md5 MD5] [-w WEBSITE]
                 [-O | --overwrite | --no-overwrite]
                 [-d DEPENDENCIES [DEPENDENCIES ...]]

Cross-dependencies are not currently supported. However, one can add both entries and then update each referencing one another.

To call from python:

from sbomtools import sbom_update
sbom_update(filename,component_name,version, supplier, email
		url, sha256, sha1, md5, website, overwrite=False, deps)

Where

  • filename is the name of the SBOM file to update (stdin is not acceptable)
  • component_name is the name of the component to add/update
  • supplier is the descriptive name of the supplier
  • email is the email of the supplier
  • sha256, sha1, md5 are respective hashes
  • website is the homepage of the package
  • overwrite is a flag to indicate whether to overwrite an existing entry
  • deps is an array of dependencies to be added for this package.

sbomrm

This routine removes one or more SBOM entries. Once again, it is format neutral. Note, it tries to disentangle SPDX dependencies, and will do so only for DEPENDENCY_OF and DEPENDS_ON. The other relationships are TBD.

usage: sbomrm [-h] -f FILENAME [-r | --recurse | --no-recurse]
               NAME [NAME ...]

This one works with cross-dependencies, if you use -r. Heh.

To call from python:

from sbomtools import sbom_rm

sbom_rm(filename, component_name, recurse)

Where

  • filename is the name of the SBOM file to act on
  • component_name is the name of the component to remove
  • recurse says to remove those packages that are dependent on this component

The following exceptions are defined:

  • PackageNotFound: you tried to edit/remove a package that wasn't present.
  • DependencyNotMet: you tried to remove something that had a dependency and you didn't use -r.
  • AlreadyExists: you tried to add an entry that already exists, and you didn't use -O
  • FileFormatError: there is something wrong with the JSON or the SBOM.
  • UnknownError: Something weird happened. Open an Issue ;-(

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sbomtools-0.3.3.tar.gz (11.8 kB view details)

Uploaded Source

Built Distribution

sbomtools-0.3.3-py3-none-any.whl (15.1 kB view details)

Uploaded Python 3

File details

Details for the file sbomtools-0.3.3.tar.gz.

File metadata

  • Download URL: sbomtools-0.3.3.tar.gz
  • Upload date:
  • Size: 11.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.10.1 pkginfo/1.8.2 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.15

File hashes

Hashes for sbomtools-0.3.3.tar.gz
Algorithm Hash digest
SHA256 04340169e5578cbd8765d1e41cf4ad0053e4f700157cd242171de3a078f7366a
MD5 7820fc8340a1f30a1d6da38380c333bc
BLAKE2b-256 7eb9f13f671dd3e4a18539e7e5d297e47cabab6cc5fcf3b1029e672981232281

See more details on using hashes here.

File details

Details for the file sbomtools-0.3.3-py3-none-any.whl.

File metadata

  • Download URL: sbomtools-0.3.3-py3-none-any.whl
  • Upload date:
  • Size: 15.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.10.1 pkginfo/1.8.2 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.15

File hashes

Hashes for sbomtools-0.3.3-py3-none-any.whl
Algorithm Hash digest
SHA256 234f23c1a8373303bab740e3cab1ebdfe9abfb89f06f8d19a4e9bddb7fff1b51
MD5 ba949eddf1b6d49d5e525affa6bbea14
BLAKE2b-256 847c6b9099d7a9d22999e0992011e1ff0d8e9a0401951d424b8b138eb2c2bc5e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page