ws-sbom-generator 0.3.1

WS SBOM Generator in SPDX format

WS SBOM Generator in SPDX format

CLI Tool and a Docker image to generate SBOM report in SPDX format.

• The tool can generate reports on the following scopes (defined with: -s/WS_SCOPE):
  • Project token - the tool will generate a report for the specific WS project.
  • Product token - the tool will generate a report for all the projects within the WS product.
  • No Token specified - the tool will generate a report on all the projects within the WS organization.
• The tool utilizes spdx-tools.
• The tool accepts additional values which are unknown to WhiteSource via sbom_extra.json.
• If URL is not stated (defined with: -a/WS_URL), the tool will access saas.
• If report type is not stated (defined with: -t/WS_REPORT_TYPE) the tool will generate a report in tag-value format.
  • Supported file formats: json, tv, rdf, xml and yaml.

Supported Operating Systems

• Linux (Bash): CentOS, Debian, Ubuntu, RedHat
• Windows (PowerShell): 10, 2012, 2016

Prerequisites

Python 3.7+

Deployment and Usage

From PyPi (simplest)

Install as a PyPi package:

1. Execute: pip install ws_sbom_generator

2. Install WS spdx-tools package that contains pre-release of spdx-tools 7 and additional fixes.

   Download and install spdx-tools from here

   1. Usage:

      usage: sbom_generator.py [-h] -u WS_USER_KEY -k WS_TOKEN [-s SCOPE_TOKEN] [-a WS_URL] [-t {json,tv,rdf,xml,yaml,all}] [-e EXTRA] [-o OUT_DIR]
      
      Utility to create SBOM from WhiteSource data
      
      optional arguments:
        -h, --help            show this help message and exit
        -u WS_USER_KEY, --userKey WS_USER_KEY
                              WS User Key
        -k WS_TOKEN, --token WS_TOKEN
                              WS Organization Key
        -s SCOPE_TOKEN, --scope SCOPE_TOKEN
                              Scope token of SBOM report to generate
        -a WS_URL, --wsUrl WS_URL
                              WS URL
        -t {json,tv,rdf,xml,yaml,all}, --type {json,tv,rdf,xml,yaml,all}
                              Output type
        -e EXTRA, --extra EXTRA
                              Extra configuration of SBOM
        -o OUT_DIR, --out OUT_DIR
                              Output directory
      

      Example: sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a saas -s <WS_PROJECT_TOKEN> -t tv -e /<path/to>/sbom_extra.json -o </path/reports>

Docker container

Installation

docker pull whitesourcetools/ws-sbom-generator:latest 

Execution

docker run --name ws-sbom-generator \ 
  -v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom-generator/resources \ 
  -v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom-generator/output \
  -e WS_USER_KEY=<USER_KEY> \ 
  -e WS_TOKEN=<ORG_WS_TOKEN> \
  -e WS_SCOPE=<WS_SCOPE> \
  -e WS_URL=<WS_URL> \
  -e WS_TYPE=<WS_TYPE> \
  whitesourcetools/ws-sbom-generator 

GitHub Package

Installation

1. Download and unzip the tool.
2. Install the requirements: pip install -r sbom_generator/requirements.txt
3. Edit the file sbom_extra.json with the appropriate values to complete the report:

Execution

Same as the PyPi package but prefix the script with python sbom_report.py...