{"id":15051170,"url":"https://github.com/anthonyharrison/distro2sbom","last_synced_at":"2025-05-10T23:26:13.465Z","repository":{"id":88986460,"uuid":"596068793","full_name":"anthonyharrison/distro2SBOM","owner":"anthonyharrison","description":"Generates SBOM files from system packaging information","archived":false,"fork":false,"pushed_at":"2025-04-21T14:38:38.000Z","size":118,"stargazers_count":22,"open_issues_count":5,"forks_count":12,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-21T15:37:52.112Z","etag":null,"topics":["cyclonedx","debian","devsecops","python","redhat","sbom","sbom-generator","spdx","ubuntu"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anthonyharrison.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["anthonyharrison"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2023-02-01T12:00:33.000Z","updated_at":"2025-04-21T14:38:41.000Z","dependencies_parsed_at":"2023-12-11T13:26:35.093Z","dependency_job_id":"d14810e0-dd5f-47e3-9411-f9b65228e01b","html_url":"https://github.com/anthonyharrison/distro2SBOM","commit_stats":{"total_commits":7,"total_committers":2,"mean_commits":3.5,"dds":0.1428571428571429,"last_synced_commit":"07c24b6230f92c0ab8c71b375593e91ebc8c23a4"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fdistro2SBOM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fdistro2SBOM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fdistro2SBOM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fdistro2SBOM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anthonyharrison","download_url":"https://codeload.github.com/anthonyharrison/distro2SBOM/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253496606,"owners_count":21917670,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyclonedx","debian","devsecops","python","redhat","sbom","sbom-generator","spdx","ubuntu"],"created_at":"2024-09-24T21:31:26.084Z","updated_at":"2025-05-10T23:26:13.456Z","avatar_url":"https://github.com/anthonyharrison.png","language":"Python","funding_links":["https://github.com/sponsors/anthonyharrison"],"categories":[],"sub_categories":[],"readme":"# DISTRO2SBOM\n\nThe DISTRO2SBOM generates a\nSBOM (Software Bill of Materials) for either an installed application or a complete system installation in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\nAn SBOM for an installed package will identify all of its dependent components.\n\nIt is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained\nand also to support subsequent audit needs to determine if a particular component (and version) has been used.\n\n## Installation\n\nTo install use the following command:\n\n`pip install distro2sbom`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```\nusage: distro2sbom [-h] [--distro {rpm,deb,windows,freebsd,auto}] [-i INPUT_FILE] [-n NAME] [-r RELEASE] [-p PACKAGE] [-s] [--root ROOT] [--distro-namespace DISTRO_NAMESPACE]\n [--product-type {application,framework,library,container,operating-system,device,firmware,file}] [--product-name PRODUCT_NAME] [--product-version PRODUCT_VERSION]\n [--product-author PRODUCT_AUTHOR] [-d] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V]\n\nDistro2Sbom generates a Software Bill of Materials for the specified package or distribution.\n\noptions:\n -h, --help show this help message and exit\n -V, --version show program's version number and exit\n\nInput:\n --distro {rpm,deb,windows,auto}\n type of distribution (default: auto)\n -i INPUT_FILE, --input-file INPUT_FILE\n name of distribution file\n -n NAME, --name NAME name of distribution\n -r RELEASE, --release RELEASE\n release identity of distribution\n -p PACKAGE, --package PACKAGE\n identity of package within distribution\n -s, --system generate SBOM for installed system\n --root ROOT location of distribution packages\n --distro-namespace DISTRO_NAMESPACE\n namespace for distribution\n\nProduct:\n --product-type {application,framework,library,container,operating-system,device,firmware,file}\n type of product\n --product-name PRODUCT_NAME\n name of product\n --product-version PRODUCT_VERSION\n version of product\n --product-author PRODUCT_AUTHOR\n author of product\n\nOutput:\n -d, --debug add debug information\n --sbom {spdx,cyclonedx}\n specify type of sbom to generate (default: spdx)\n --format {tag,json,yaml}\n specify format of software bill of materials (sbom) (default: tag)\n -o OUTPUT_FILE, --output-file OUTPUT_FILE\n output filename (default: output to stdout)\n```\n\t\t\t\t\t\t\n## Operation\n\nThe `--distro` option is used to identify the type of distribution. The default option is auto which attempts to determine the type of distribution by searching for the\npresence of key applications required by the tool. If none of the required applications are found, the tool terminates.\n\nThe `--name` option and `--release` option is used to identify the name and release of the distribution. Values for both options are required to be specified if the\n`--input-file` option is used. If they are not specified, values for these options shall be obtained from system files installed on the system.\n\nThe `--input-file` option is used to provide a filename containing the list of packages installed on the system. The format of the file is dependent on the specified `--distro` option.\n\n- deb. The file used is the output of the following command\n ```bash\n dpkg -l \u003e [filename.out]\n ```\n\n Sample file contents\n ```console\n Desired=Unknown/Install/Remove/Purge/Hold\n | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend\n |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)\n ||/ Name Version Architecture Description\n +++-================================================-===================================-============-==================================================================================\n ii acl 2.3.1-1 amd64 access control list - utilities\n ii adduser 3.129 all add and remove users and groups\n ii adwaita-icon-theme 43-1 all default icon theme of GNOME\n ii alien 8.95.6 all convert and install rpm and other packages\n ii alsa-tools 1.2.5-2 amd64 Console based ALSA utilities for specific hardware\n ```\n\n- rpm. The file used is the output of the following command. **Note** that it is recommended to sort the list of files as this makes it easier to find the packages in the SBOM.\n ```bash\n rpm -qa | sort \u003e [filename.out]\n ```\n \n Sample file contents\n ```console\n accountsservice-0.6.55-10.el9.x86_64\n accountsservice-libs-0.6.55-10.el9.x86_64\n acl-2.3.1-3.el9.x86_64\n adcli-0.9.1-7.el9.x86_64\n adwaita-cursor-theme-40.1.1-3.el9.noarch\n adwaita-icon-theme-40.1.1-3.el9.noarch\n ``` \n\n- windows. The file used is the output of the following command\n ```powershell\n get-wmiobject -class win32_product | Out-file -filePath [filename.out]\n ```\n \n Sample file contents\n ```console \n IdentifyingNumber : {....}\n Name : Python 3.10.5 Utility Scripts (64-bit)\n Vendor : Python Software Foundation\n Version : 3.10.5150.0\n Caption : Python 3.10.5 Utility Scripts (64-bit)\n\n ```\n- freebsd\n Sample of pkg info -a \n ```console\n py39-s3transfer-0.10.1 Amazon S3 Transfer Manager for Python\n py39-setuptools-63.1.0_1 Python packages installer\n py39-six-1.16.0 Python 2 and 3 compatibility utilities\n py39-urllib3-1.26.18,1 HTTP library with thread-safe connection pooling, file post, and more\n py39-yaml-6.0.1 Python YAML parser\n python311-3.11.9 Interpreted object-oriented programming language\n python38-3.8.19_2 Interpreted object-oriented programming language\n python39-3.9.19 Interpreted object-oriented programming language\n readline-8.2.10 Library for editing command lines as they are typed\n sudo-1.9.15p5_4 Allow others to run commands as root\n tiff-4.6.0 Tools and library routines for working with TIFF images\n xorg-fonts-truetype-7.7_1 X.Org TrueType fonts\n xorgproto-2024.1 X Window System unified protocol definitions\n zstd-1.5.6 Fast real-time compression algorithm\n ```\n\n\nIf the specified filename is not found, the tool will terminate.\n\nThe `--package` option is used to identify the name of a package or application installed on the system. If the specified package or application is not found, the tool terminates.\nThis option is not supported if the `--distro` option is set to 'windows'.\n\nThe `--system` option is used to generate an SBOM for all the applications installed on the system. Note that this option will take some time to complete as it is dependent on the number of installed applications.\nThis option is not supported if the `--distro` option is set to 'windows'.\n\nThe `--root` option is used to specify an alternative directory location for the installed packages. This option only applies for 'deb' distributions.\n\nThe `--disto-namespace` option is used to specify a namespace to be included in the generated [PURL](https://github.com/package-url/purl-spec) identifiers for the packages. This is mandatory if the `--input-file` option is specified.\n\nAt least one of the `--input-file`, `--package` or `--system` options must be specified. If multiple options are specified, the `--input-file` option followed by the `--system` option will be assumed.\n\nThe `--product-type`, `--product-name`, `--product-version` and `--product-author` options allow the specification of the top level\ncomponent within the SBOM. These option only apply to CycloneDX SBOMs. The default for product type is 'application' but it is always 'operating-system' if the `--system` option is specified.\n\nThe `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option\ncan be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both\nSPDX and CycloneDX SBOMs.\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\n## Examples\n\n### SBOM for an Installed Package\n\nTo generate an SBOM for the installed zip package.\n\n```bash\ndistro2sbom --distro auto --name \u003cdistro name\u003e --release \u003cdistro release\u003e --package zip\n```\n\nThis will automatically detect the type of distribution and generate an SBOM in SPDX Tag value format to the console.\n\n### SBOM for Distribution\n\nTo generate an SBOM for a system distribution.\n\n```bash\ndistro2sbom --distro deb --name \u003cdistro name\u003e --release \u003cdistro release\u003e --distro-namespace \u003cnamespace\u003e --input-file \u003cdistrofile\u003e --sbom cyclonedx --output-file \u003cdistrooutfile\u003e\n```\n\nThis will generate an SBOM in CycloneDX JSON value for a distribution file in dpkg format (indicated by the 'deb' option)\n\n### SBOM for System\n\nTo generate an SBOM for an installed system, obtaining the name and release of the system from installed system files.\n\n```bash\ndistro2sbom --distro deb --system --format json --output-file \u003cdistrooutfile\u003e\n```\n\nThis will generate an SBOM in SPDX JSON value for a distribution file in dpkg format (indicated by the 'deb' option)\n\n#### Specific options for rpm/yum based distro\n\nThe following [optional] environment variable are available to customize rpm and yum commands used by the tool. This can be usefull for example to enable/disable some repo or to support *chrooted* environments.\n\n- **DISTRO2SBOM_ROOT_PATH** The path prefix where to get `/etc/os-release`\n- **DISTRO2SBOM_RPM_OPTIONS** Additional options passed to rpm commands (used by `rpm -qa` to list all packages and `rpm -qi \u003cpkg\u003e` to query information on a package)\n- **DISTRO2SBOM_YUM_OPTIONS** Additional options passed to yum commands (used by `yum repoquery --deplist \u003cpkg\u003e` to get dependencies)\n\n```bash\nexport DISTRO2SBOM_ROOT_PATH=/path-to-distrib/slash\nexport DISTRO2SBOM_RPM_OPTIONS=\"--root /path-to-distrib/slash\"\nexport DISTRO2SBOM_YUM_OPTIONS=\"--installroot=/path-to-distrib/slash --setopt=reposdir=/path-to-distrib/repos --setopt=install_weak_deps=False --repo=my-repo\"\ndistro2sbom --distro rpm --system --sbom cyclonedx --format json --output-file \u003cdistrooutfile\u003e\n```\n\nThis will generate an SBOM in CYCLONEDX JSON value for a *chrooted* distribution located at `/path-to-distrib/slash`\n\n## Licence\n\nLicenced under the Apache 2.0 Licence.\n\n## Limitations\n\nThis tool is meant to support software development and security audit functions. However, the usefulness of the tool is dependent on the SBOM data\nwhich is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool\nare therefore reminded that they should assert the quality of any data which is provided to the tool.\n\nWhen processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct [SPDX License Identifiers](https://spdx.org/licenses/). However, the\nuser of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.\n\nDependencies between applications are only produced for the `--package` and `--system` options. For Debian distributions, recommends dependencies will be shown with the `--system` option.\n\nThe `--package` option is not supported if the `--distro` option is set to 'windows'.\n\nWhilst [PURL](https://github.com/package-url/purl-spec) and [CPE](https://nvd.nist.gov/products/cpe) references are automatically generated for components, the accuracy\nof such references cannot be guaranteed as they are dependent on the validity of the data associated with the component.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthonyharrison%2Fdistro2sbom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanthonyharrison%2Fdistro2sbom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthonyharrison%2Fdistro2sbom/lists"}