ws-sbom-generator 0.3.9a1

WS SBOM Generator in SPDX format

WS SBOM Generator in SPDX format

CLI Tool and a Docker image to generate SBOM report in SPDX format.

• The tool can generate reports on the following scopes (defined with: -s/WS_SCOPE):
  • Project token - the tool will generate report on a specific project.
  • Product token - the tool will generate report on all the projects within the product.
  • No Token specified - the tool will generate report on all the projects within the organization.
• The tool utilizes a forked package of spdx-tools.
• The tool accepts additional values which are unknown to WhiteSource via sbom_extra.json.
• If URL is not stated (defined with: -a/WS_URL), the tool will access saas.
• If report type is not stated (defined with: -t/WS_REPORT_TYPE) the tool will generate a report in tag-value format.
  • Supported file formats: json, tv, rdf, xml and yaml.

Permissions to run the tool

The user key used (-u) must be a member of one the following groups:

• Organization Administrator - For dynamically obtaining organization name and generating reports on all projects (in all products).
• Product Administrator (-y must be passed ) - For running on specific project or all projects within the product.

Prerequisites

Python 3.7+

Deployment and Usage

From PyPi (simplest)

Install as a PyPi package:

Execute: pip install ws-sbom-generator

Usage:

 usage: sbom_generator.py [-h] [-u WS_USER_KEY] [-k WS_TOKEN] [-s SCOPE_TOKEN] [-y {project,product,organization,globalOrganization}] [-a WS_URL] [-t {json,tv,rdf,xml,yaml,all}] [-e EXTRA] [-o OUT_DIR]

  Utility to create SBOM from WhiteSource data

  optional arguments:                                                                                                                                                                                     
  -h, --help            show this help message and exit                                                                                                                                                 
  -u WS_USER_KEY, --userKey WS_USER_KEY                                                                                                                                                                 
  WS User Key
  -k WS_TOKEN, --token WS_TOKEN
  WS Organization Key
  -s SCOPE_TOKEN, --scope SCOPE_TOKEN
  Scope token of SBOM report to generate
  -y {project,product}, --tokenType {project,product,organization,globalOrganization}
  WS Token type
  -a WS_URL, --wsUrl WS_URL
  WS URL
  -t {json,tv,rdf,xml,yaml,all}, --type {json,tv,rdf,xml,yaml,all}
  Output type
  -e EXTRA, --extra EXTRA
  Extra configuration of SBOM
  -o OUT_DIR, --out OUT_DIR
  Output directory

Examples:

# Create tag value report on a specific project 
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a app-eu -s <WS_PROJECT_TOKEN> -e /<path/to>/sbom_extra.json -o </path/reports>
# Creating JSON report on all projects within the product 
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a https://di.whitesourcesoftware.com -s <WS_PRODUCT_TOKEN> -t json -e /<path/to>/sbom_extra.json -o </path/reports>

Docker container

Installation:

docker pull whitesourcetools/ws-sbom-generator:latest 

Execution:

docker run --name ws-sbom-generator \ 
  -v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom-generator/resources \ 
  -v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom-generator/output \
  -e WS_USER_KEY=<USER_KEY> \ 
  -e WS_TOKEN=<ORG_WS_TOKEN> \
  -e WS_SCOPE=<WS_SCOPE> \
  -e WS_URL=<WS_URL> \
  -e WS_TYPE=<WS_TYPE> \
  whitesourcetools/ws-sbom-generator 

Sample extra configuration (--extra/-e switch)

{
  "namespace": "http://CreatorWebsite/pathToSpdx/DocumentName-UUID",
  "org_email": "org@email.address",
  "person": "person name",
  "person_email": "person@email.address"
}