WS SBOM Generator in SPDX format
Project description
Mend SBOM Generator
This tool generates SBOM reports in either SPDX or CycloneDX formats, for specified projects.
The tool can be executed either via CLI or as a Docker container.
Note: This tool utilizes a forked package of spdx-tools.
SBOM Generator CLI
Supported Operating Systems
- Linux (Bash): CentOS, Debian, Ubuntu, RedHat
- Windows (PowerShell): 10, 2012, 2016
Prerequisites
- Python 3.8 or later
- Mend user with admin permissions
Note:
The specified user (-u, --userKey) must be associated with a group assigned as either Organization Administrators (for generating report for all projects in the organization) or Product Administrators. For the latter,--tokenTypemust be specified (see Command-Line Arguments).
Installation
-
Install the PyPI package
ws-sbom-generatorpip install ws-sbom-generatorNote: Depending on whether the package was installed as a root user or not, you need to make sure the package installation location was added to the
$PATHenvironment variable. -
Update the creation info as needed in the resource/sbom_extra.json file:
{ "namespace": "http://CreatorWebsite/pathToSpdx/DocumentName-UUID", "org_email": "org@domain.com", "person": "First Last", "person_email": "first.last@domain.com" }
Usage
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --type $FORMAT --out $HOME/reports --extra resources/sbom_extra.json
Command-Line Arguments
| Parameter | Type | Required | Description |
|---|---|---|---|
| ‑h, ‑‑help | switch | No | Show help and exit |
| ‑a, ‑‑wsUrl | string | Yes | Mend server URL |
| ‑u, ‑‑userKey | string | Yes | Mend User Key |
| ‑k, ‑‑token | string | Yes | Mend API Key or Product token |
| ‑y, ‑‑tokenType | string | No* | [organization|product*] (default: organization) |
| ‑t, ‑‑type | string | No* | Report format [json|tv|rdf|xml|yaml|cdx*|all*] (default: tv) |
| ‑s, ‑‑scope | string | No | Product or Project token to generate the report(s) for. When specifying a Product token, one report will be generated for each project under that product. If not specified, one report will be generated for each project in your organization. |
| ‑o, ‑‑out | string | No | Output directory (default: $PWD) |
| ‑on, ‑‑outfile | string | No* | Output file name* (default: Mend {PROJECT_NAME} SBOM report-{FORMAT}) |
| ‑lt, ‑‑licensetext | bool | No | Include full license text for all libraries* (default: False) |
| ‑th, ‑‑threads | int | No | Number of threads to run in parallel for report generation (default: 10) |
| ‑e, ‑‑extra | string | No* | Path to a json file containing the creation info to be included in the report (default: $PWD/resources/sbom_extra.json |
Notes:
* Token type (--tokenType product) is required in case the specifieduserKeyis associated with a group with Product Administrators permissions.
* Report type (--type)cdxwill generate a JSON file in CycloneDX v1.4 format.
* Report type (--type)allwill generate one file in each format for each specified project.
* Output file name (--outfile) is only supported for a single project scope.
* Full license texts will be taken by default from the SPDX License List. If a given license does not exist there, the tool will attempt to take it from Mend's database.
* By default, the tool will use the placeholders in the resource/sbom_extra.json file.
Execution Examples
Generating tv formatted SBOM report for a specific project
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --scope $WS_PROJECTTOKEN --out $HOME/reports --extra sbom_extra.json
Generating tv formatted SBOM report for all projects of a specified product
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --scope $WS_PRODUCTTOKEN --out $HOME/reports --extra sbom_extra.json
Generating json formatted SBOM report for all projects in the organization
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --type json --out $HOME/reports
Generating json formatted SBOM report for all projects in the organization, including full license text
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --type json --out $HOME/reports --licensetext True
Generating xml formatted SBOM report for a single project (executed by a product administrator)
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_PRODUCTTOKEN --tokenType product --scope $WS_PROJECTTOKEN --type xml --out $HOME/reports --extra sbom_extra.json
Generating json formatted SBOM report for a single project, specifying file name
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --scope $WS_PROJECTTOKEN --type json --out $HOME/reports --extra sbom_extra.json --outfile my-project-sbom.json
SBOM Generator Docker Container
Supported Operating Systems
- Linux: CentOS, Debian, Ubuntu, RedHat
- Windows: 10, 2012, 2016
Prerequisites
- Docker version 20 or later
- Mend user with admin permissions
Note:
The specified user (-u, --userKey) must be associated with a group assigned as either Organization Administrators (for generating report for all projects in the organization) or Product Administrators. For the latter,--tokenTypemust be specified (see Command-Line Arguments).
Installation
docker pull whitesourcetools/ws-sbom-generator:latest
Usage
docker run --name ws-sbom-generator \
-v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom-generator/resources \
-v $HOME/reports:/opt/ws-sbom-generator/sbom-generator/output \
-e WS_URL=$WS_WSS_URL \
-e WS_USER_KEY=$WS_USERKEY \
-e WS_TOKEN=$WS_APIKEY \
-e WS_REPORT_TYPE=<REPORT_TYPE> \
whitesourcetools/ws-sbom-generator
Execution Examples
Running as organization administrator, generating json formatted SBOM reports for all projects, default extra args
docker run --name ws-sbom-generator \
-v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom_generator/resources \
-v $HOME/reports:/opt/ws-sbom-generator/sbom_generator/output \
-e WS_URL=$WS_WSS_URL \
-e WS_USER_KEY=$WS_USERKEY \
-e WS_TOKEN=$WS_APIKEY \
-e WS_REPORT_TYPE=json
whitesourcetools/ws-sbom-generator
Running as organization administrator, generating tv formatted SBOM report for a single project, default extra args
docker run --name ws-sbom-generator \
-v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom_generator/resources \
-v $HOME/reports:/opt/ws-sbom-generator/sbom_generator/output \
-e WS_URL=$WS_WSS_URL \
-e WS_USER_KEY=$WS_USERKEY \
-e WS_TOKEN=$WS_APIKEY \
-e WS_SCOPE_TOKEN=<WS_PROJECT_TOKEN> \
whitesourcetools/ws-sbom-generator
Running as a product administrator, generating rdf formatted SBOM report for a single project, default extra args
docker run --name ws-sbom-generator \
-v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom_generator/resources \
-v $HOME/reports:/opt/ws-sbom-generator/sbom_generator/output \
-e WS_URL=$WS_WSS_URL \
-e WS_USER_KEY=$WS_USERKEY \
-e WS_TOKEN=$WS_PRODUCTTOKEN \
-e WS_TOKEN_TYPE=product
-e WS_SCOPE_TOKEN=$WS_PROJECTTOKEN \
whitesourcetools/ws-sbom-generator
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for ws_sbom_generator-23.1.1.3-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 435715ca4f8f7461cd8bf6180acc3973cb147c3688c800dcc83286affcdf645d |
|
| MD5 | 6a9eecb1c6e315fcd6d11f2fb31a29d7 |
|
| BLAKE2b-256 | 8121b7e80179138d46cc851c36c02f037ed1ed8922ffec739fd26a497665b05e |
