SBOM validator
Project description
SBOMValidate
SBOMValidate is a free, open source tool to validate a SBOM (Software Bill of Materials) against the specifications for SPDX and CycloneDX.
It is intended to be used as part of a continuous integration system to ensure only valid SBOMs are processed.
Installation
To install use the following command:
pip install sbomvalidate
Alternatively, just clone the repo and install dependencies using the following command:
pip install -U -r requirements.txt
The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
Usage
usage: sbomvalidate [-h] [-i INPUT_FILE] [--debug] [-V]
SBOMvalidate validates a SBOM.
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
-i INPUT_FILE, --input-file INPUT_FILE
Name of SBOM file
--debug add debug information
Operation
The --input-file option is used to specify the SBOM to be processed. The format of the SBOM is determined according to
the following filename conventions.
| SBOM | Format | Filename extension |
|---|---|---|
| SPDX | TagValue | .spdx |
| SPDX | JSON | .spdx.json |
| SPDX | YAML | .spdx.yaml |
| SPDX | YAML | .spdx.yml |
| SPDX | XML | .spdx.xml |
| SPDX | RDF | .spdx.rdf |
| CycloneDX | JSON | .json |
| CycloneDX | XML | .xml |
For CycloneDX SBOMs, versions 1.3, 1.4. 1.5 and 1.6 are supported; for SPDX SBOMs, versions 2.2 and 2.3 are supported.
The --debug option is used to provide more information on the validation process. The default is for no information to be reported.
Return Values
The return value indicates the validity of the SBOM
0 indicates that the SBOM has been validated 1 indicates that the SBOM failed to validate
Example usage
sbomvalidate -i <goodsbomfilename>
echo $?
0
sbomvalidate -i <badsbomfilename>
echo $?
1
Licence
Licenced under the Apache 2.0 Licence.
Limitations
The validation of SPDX SBOMs in RDF, TagValue and XML formats is limited to detecting the presence of key tags in the document.
Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sbomvalidate-0.1.0-py2.py3-none-any.whl.
File metadata
- Download URL: sbomvalidate-0.1.0-py2.py3-none-any.whl
- Upload date:
- Size: 8.6 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.10.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0781855a46cc626008c124749ae3cf4922fcddf6eeab37b3f73560040db8a2e5
|
|
| MD5 |
cd1208c6f00546139f7066c16034012f
|
|
| BLAKE2b-256 |
68983d1906d085b92c6aaa540310d1e606b1b325a88f89adff13de2a0cc69d25
|
