Skip to main content

WS SBOM Generator in SPDX format

Project description

Logo License CI Python 3.8 GitHub release

Mend SBOM Generator in SPDX or CycloneDX format

CLI Tool and a Docker image to generate SBOM report in SPDX format or in CycloneDX format.

  • The tool can generate reports on the following scopes (defined with: -s/WS_SCOPE_TOKEN):
    • Specific Project token - the tool will generate a report on a specific project (user key and token of organization admin or of Product Admin).
    • No Token specified - the tool will generate a report on all the projects within the organization (user key and token of organization admin).
  • To run the tool with product-level permissions pass -y product along with the product token (-k) and user key with permission on this product (-u).
  • The tool utilizes a forked package of spdx-tools.
  • The tool accepts additional values which are unknown to Mend (-e sbom_extra.json).
  • If URL is not stated (defined with: -a/WS_URL), the tool will access saas.
  • If report type is not stated (defined with: -t/WS_REPORT_TYPE) the tool will generate a report in tag-value format.
    • Supported file formats: json, tv, rdf, xml and yaml.

Permissions to run the tool

The user key used (-u) must be a member of one of the following groups:

  • Organization Administrator - For dynamically obtaining the organization name and generating reports on all projects (in all products).
  • Product Administrator (-y must be passed ) - For running on a specific project or all projects within the product.

Prerequisites

Python 3.8+

Installation and Execution by pulling package from PyPi:

  1. Execute pip install pip install ws-sbom-generator
    • Note: If installing packages as a non-root be sure to include the path to the executables within the Operating System paths.
  2. Run report: ws_sbom_generator -u <WS_USER_KEY> -k <WS_TOKEN> -a <WS_URL> -t <WS_REPORT_TYPE> {json,tv,rdf,xml,yaml,all} -e <EXTRA> -o <OUT_DIR>
    • Note: If installing packages as a non-root be sure to include the path to the executables within the Operating System paths.

Optional arguments:

  -h, --help            show this help message and exit
  -u WS_USER_KEY, --userKey
                  WS User Key
  -k WS_TOKEN, --token 
                  Mend Org Token (API Key) or Mend Product Token
  -s WS_SCOPE_TOKEN, --scope 
                  Scope token of SBOM report to generate
  -y WS_TOKEN_TYPE, --tokenType {product, organization}
                  Optional WS Token type to be stated in case Mend Org Token
                  does not have organization level permissions
  -a WS_URL, --wsUrl {saas, app, app-eu, saas-eu, your_url}
                  Mend URL 
  -t WS_REPORT_TYPE, --type {json,tv,rdf,xml,yaml,cdx,all}
                  Report type
  -e EXTRA, --extra 
                  Extra configuration of SBOM
  -o OUT_DIR, --out 
                  Output directory
  -on OUT_NAME, --out_file
                  Name of output file
  -lt LICENSE_TEXT, --license_text 
                  Include license text for each element
  -th NUMBER_OF_THREADS, --threads
                  Set number of parallel threads for creation output reports                
  * Note: Name of output file can be used just for single report (Project layer)
          LICENSE_TEXT flag has default value **False**. 
          In case **True** : The report will include a full license text for each library, not only for libraries that are not in the SPDX list.
          **cdx** type : The report will be created in CycloneDX format v1.4 (JSON type of output file)
          NUMBER_OF_THREADS has default value **10**

Examples:

Create tag value report on a specific project
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a app-eu -s <WS_PROJECT_TOKEN> -e /<path/to>/sbom_extra.json -o </path/reports>


Create tag value report on all projects of product
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a app-eu -s <WS_PRODUCT_TOKEN> -e /<path/to>/sbom_extra.json -o </path/reports>


Creating JSON report on all projects of organization
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a https://di.whitesourcesoftware.com -t json -o </path/reports>


Creating XML report on a project with a user which only has product permissions (SAAS organization)
ws_sbom_generator -u <WS_USER_KEY> -y product -k <WS_PRODUCT_TOKEN> -s <WS_PROJECT_TOKEN> -t xml -e /<path/to>/sbom_extra.json -o </path/reports>


Creating JSON report for specific project with customized name
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a app-eu -s <WS_PROJECT_TOKEN> -e /<path/to>/sbom_extra.json -o </path/reports> -on <filename>


Creating JSON report on all projects of organization with Full License Text option
ws_sbom_generator -u <WS_USER_KEY> -k <WS_ORG_TOKEN> -a https://di.whitesourcesoftware.com -t json -o </path/reports> -lt True


Docker container

Installation:

docker pull whitesourcetools/ws-sbom-generator:latest 

Execution:

docker run --name ws-sbom-generator \ 
  -v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom-generator/resources \ 
  -v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom-generator/output \
  -e WS_USER_KEY=<USER_KEY> \ 
  -e WS_TOKEN=<WS_ORG_TOKEN> \
  -e WS_URL=<WS_URL> \
  -e WS_REPORT_TYPE=<REPORT_TYPE> \
  whitesourcetools/ws-sbom-generator 

Examples (Docker):

# Run tool as Org Administrator on all projects, default extra args and output in JSON format.
docker run --name ws-sbom-generator \  
  -v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom_generator/resources \ 
  -v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom_generator/output \
  -e WS_USER_KEY=<USER_KEY> \ 
  -e WS_TOKEN=<WS_ORG_TOKEN> \
  -e WS_URL=saas \
  -e WS_REPORT_TYPE=json
  whitesourcetools/ws-sbom-generator
  
# Run tool as Org Administrator on specific project, default extra args and output in tv format.
docker run --name ws-sbom-generator \  
  -v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom_generator/resources \
  -v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom_generator/output \
  -e WS_USER_KEY=<USER_KEY> \ 
  -e WS_TOKEN=<WS_ORG_TOKEN> \
  -e WS_SCOPE_TOKEN=<WS_PROJECT_TOKEN> \
  -e WS_URL=https://di.whitesourcesoftware.com \
  whitesourcetools/ws-sbom-generator

# Run tool as Product Administrator on specific project, default extra args and output in rdf format.
docker run --name ws-sbom-generator \  
  -v /<EXTRA_CONF_DIR>:/opt/ws-sbom-generator/sbom_generator/resources \
  -v /<REPORT_OUTPUT_DIR>:/opt/ws-sbom-generator/sbom_generator/output \
  -e WS_USER_KEY=<USER_KEY> \ 
  -e WS_TOKEN=<WS_PROD_TOKEN> \
  -e WS_SCOPE_TOKEN=<WS_PROJECT_TOKEN> \
  -e WS_URL=app-eu \
  -e WS_TOKEN_TYPE=product
  whitesourcetools/ws-sbom-generator

Sample extra configuration (--extra/-e switch)

{
  "namespace": "http://CreatorWebsite/pathToSpdx/DocumentName-UUID",
  "org_email": "org@email.address",
  "person": "person name",
  "person_email": "person@email.address"
}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

ws_sbom_generator-22.12.2.1-py3-none-any.whl (18.9 kB view details)

Uploaded Python 3

File details

Details for the file ws_sbom_generator-22.12.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for ws_sbom_generator-22.12.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 fa7e6a700d7f7da479a26b0b7959ea947f19447cbcba0a197378c787d8304501
MD5 31b750112b7392a3f05385f89a470fb7
BLAKE2b-256 4982c1b091b7a33660a2b30c10da795303e7f1adc3d8bddc596f471520eb9cfb

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page