WS SBOM Generator in SPDX format
Project description
WS SBOM Generator in SPDX format
CLI Tool and a Docker image to generate SBOM report in SPDX format.
- The tool can generate reports on the following scopes (defined with: -s/WS_SCOPE_TOKEN):
- Specific Project token - the tool will generate a report on a specific project (user key and token of organization admin or of Product Admin).
- No Token specified - the tool will generate a report on all the projects within the organization (user key and token of organization admin).
- To run the tool with product-level permissions pass
-y productalong with the product token (-k) and user key with permission on this product (-u). - The tool utilizes a forked package of spdx-tools.
- The tool accepts additional values which are unknown to WhiteSource (
-e sbom_extra.json). - If URL is not stated (defined with: -a/WS_URL), the tool will access saas.
- If report type is not stated (defined with: -t/WS_REPORT_TYPE) the tool will generate a report in tag-value format.
- Supported file formats: json, tv, rdf, xml and yaml.
Permissions to run the tool
The user key used (-u) must be a member of one of the following groups:
- Organization Administrator - For dynamically obtaining the organization name and generating reports on all projects (in all products).
- Product Administrator (-y must be passed ) - For running on a specific project or all projects within the product.
Prerequisites
Python 3.7+
Deployment and Usage
From PyPi (simplest)
Install as a PyPi package:
Execute: pip install ws-sbom-generator
Usage:
usage: sbom_generator.py [-h] [-u WS_USER_KEY] [-k WS_TOKEN] [-s SCOPE_TOKEN]
[-y {product,organization}] [-a WS_URL]
[-t {json,tv,rdf,xml,yaml,all}] [-e EXTRA]
[-o OUT_DIR]
Utility to create SBOM from WhiteSource data
optional arguments:
-h, --help show this help message and exit
-u WS_USER_KEY, --userKey
WS User Key
-k WS_TOKEN, --token
WS Org Token (API Key) or WS Product Token
-s WS_SCOPE_TOKEN, --scope
Scope token of SBOM report to generate
-y WS_TOKEN_TYPE, --tokenType {product, organization}
Optional WS Token type to be stated in case WS Org Token
does not have organization level permissions
-a WS_URL, --wsUrl {saas, app, app-eu, saas-eu, your_url}
WS URL
-t WS_REPORT_TYPE, --type {json,tv,rdf,xml,yaml,all}
Report type
-e EXTRA, --extra
Extra configuration of SBOM
-o OUT_DIR, --out
Output directory
Examples:
# Create tag value report on a specific project
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a app-eu -s <WS_PROJECT_TOKEN> -e /<path/to>/sbom_extra.json -o </path/reports>
# Creating JSON report on all projects of organization
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a https://di.whitesourcesoftware.com -t json -o </path/reports>
# Creating XML report on a project with product permissions (SAAS organization)
ws_sbom_generator -u <WS_USER_KEY> -y product -k <WS_PRODUCT_TOKEN> -s <WS_PROJECT_TOKEN> -t xml -e /<path/to>/sbom_extra.json -o </path/reports>
Docker container
Installation:
docker pull whitesourcetools/ws-sbom-generator:latest
Execution:
docker run --name ws-sbom-generator \
-v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom-generator/resources \
-v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom-generator/output \
-e WS_USER_KEY=<USER_KEY> \
-e WS_TOKEN=<WS_ORG_TOKEN> \
-e WS_URL=<WS_URL> \
-e WS_REPORT_TYPE=<REPORT_TYPE> \
whitesourcetools/ws-sbom-generator
Examples (Docker):
# Run tool as Org Administrator on all projects, default extra args and output in JSON format.
docker run --name ws-sbom-generator \
-v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom_generator/resources \
-v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom_generator/output \
-e WS_USER_KEY=<USER_KEY> \
-e WS_TOKEN=<WS_ORG_TOKEN> \
-e WS_URL=saas \
-e WS_REPORT_TYPE=json
whitesourcetools/ws-sbom-generator
# Run tool as Org Administrator on specific project, default extra args and output in tv format.
docker run --name ws-sbom-generator \
-v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom_generator/resources \
-v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom_generator/output \
-e WS_USER_KEY=<USER_KEY> \
-e WS_TOKEN=<WS_ORG_TOKEN> \
-e WS_SCOPE_TOKEN=<WS_PROJECT_TOKEN> \
-e WS_URL=https://di.whitesourcesoftware.com \
whitesourcetools/ws-sbom-generator
# Run tool as Product Administrator on specific project, default extra args and output in rdf format.
docker run --name ws-sbom-generator \
-v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom_generator/resources \
-v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom_generator/output \
-e WS_USER_KEY=<USER_KEY> \
-e WS_TOKEN=<WS_PROD_TOKEN> \
-e WS_SCOPE_TOKEN=<WS_PROJECT_TOKEN> \
-e WS_URL=app-eu \
-e WS_TOKEN_TYPE=product
whitesourcetools/ws-sbom-generator
Sample extra configuration (--extra/-e switch)
{
"namespace": "http://CreatorWebsite/pathToSpdx/DocumentName-UUID",
"org_email": "org@email.address",
"person": "person name",
"person_email": "person@email.address"
}
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
No source distribution files available for this release.See tutorial on generating distribution archives.
Built Distribution
File details
Details for the file ws_sbom_generator-0.5.0-py3-none-any.whl.
File metadata
- Download URL: ws_sbom_generator-0.5.0-py3-none-any.whl
- Upload date:
- Size: 13.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e46c2a603a2d410c595da56a2fc07a226cf13abb632886fa35fad2c4d25cd2fa |
|
| MD5 | 3dbf4e62da97575678fd1f52e9b7c498 |
|
| BLAKE2b-256 | 38d1384d25ab453a22031f59f04fbf0af4afc75125b4b59937ecb82d40dc9e02 |
