{"id":18638524,"url":"https://github.com/anthonyharrison/sbom4files","last_synced_at":"2025-09-11T11:35:20.320Z","repository":{"id":65585081,"uuid":"595187079","full_name":"anthonyharrison/sbom4files","owner":"anthonyharrison","description":"SBOM generator for files within a directory","archived":false,"fork":false,"pushed_at":"2024-12-09T20:36:17.000Z","size":53,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-11T16:28:08.820Z","etag":null,"topics":["cyclonedx","devsecops","sbom","sbom-generator","sbom-tool","spdx","tool"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anthonyharrison.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["anthonyharrison"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2023-01-30T15:22:17.000Z","updated_at":"2024-12-09T20:34:50.000Z","dependencies_parsed_at":"2025-04-11T16:38:04.238Z","dependency_job_id":null,"html_url":"https://github.com/anthonyharrison/sbom4files","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/anthonyharrison/sbom4files","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fsbom4files","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fsbom4files/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fsbom4files/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fsbom4files/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anthonyharrison","download_url":"https://codeload.github.com/anthonyharrison/sbom4files/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthonyharrison%2Fsbom4files/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274625658,"owners_count":25319955,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-11T02:00:13.660Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyclonedx","devsecops","sbom","sbom-generator","sbom-tool","spdx","tool"],"created_at":"2024-11-07T05:42:16.931Z","updated_at":"2025-09-11T11:35:20.249Z","avatar_url":"https://github.com/anthonyharrison.png","language":"Python","funding_links":["https://github.com/sponsors/anthonyharrison"],"categories":[],"sub_categories":[],"readme":"# SBOM4Files\n\nSBOM4Files generates a SBOM (Software Bill of Materials) for a directory in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\nIt identifies all files within a directory and includes license and copyright information, where possible, for each file.\n\nIt is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained, typically through the\nbuild development phase, and also to support subsequent audit needs to determine if a particular component has been used.\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbom4files`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n### Issues with Installation\n\nIf you get the following error\n\n`ImportError: failed to find libmagic.  Check your installation`\n\nThis is because of a mismatch with the installation of the magic library. To resolve, please issue the following commands depending on your environment\n\n#### Windows\n\n```bash\npip uninstall python-magic\npip uninstall python-magic-bin\n\npip install python-magic\npip install python-magic-bin\n```\n\n#### Linxu based system\n\nInstall `libmagic` using a package manager, for example\n\n```bash\napt install libmagic-dev\n```\n\n#### MacOS\n\nInstall `libmagic` using a package manager, for example\n\n```bash\nbrew install libmagic\n```\n\n## Usage\n\n```\nusage: sbom4files [-h] [-d DIRECTORY] [-p PROJECT] [-r] \n                  [-i IGNORE] [--debug] [--sbom {spdx,cyclonedx}] \n                  [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V]\n\nSBOM4Files generates a Software Bill of Materials for the files within a directory.\n\noptions:\n  -h, --help            show this help message and exit\n  -V, --version         show program's version number and exit\n\nInput:\n  -d DIRECTORY, --directory DIRECTORY\n                        Directory to be scanned\n  -p PROJECT, --project PROJECT\n                        Name of project\n  -r, --recurse         Recurse directories\n  -i IGNORE, --ignore IGNORE\n                        Comma separated list of extensions to ignore\n\nOutput:\n  --debug               add debug information\n  --sbom {spdx,cyclonedx}\n                        specify type of sbom to generate (default: spdx)\n  --format {tag,json,yaml}\n                        format for SPDX software bill of materials (sbom) (default: tag)\n  -o OUTPUT_FILE, --output-file OUTPUT_FILE\n                        output filename (default: output to stdout)\n```\n\t\t\t\t\t\n## Operation\n\nThe `--directory` option is used to identify the directory to be scanned. If this option is not specified, the current directory is assumed.\nSpecifying the `--recurse` option will result in the files in subdirectories being included in the generation of the SBOM.\n\nThe `--project` option is used to specify the name of a project to be referenced in the generated SBOM. This option must be specified.\n\nThe `--ignore` option is used to specify the file extensions which are to be ignored. This option is optional.\n\nThe `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option\ncan be used to specify the formatting of the SPDX SBOM (the default is Tag Value format but JSON and YAML format is also supported).\nAll CycloneDX SBOMs are generated in JSON format.\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\nThe application will attempt to extract the license and copyright information for each file. \n\nChecksums in SHA1, SHA256 and SHA512 formats are generated for each file.\n\n## Licence\n\nLicenced under the Apache 2.0 Licence.\n\n## Limitations\n\nThis tool is meant to support software development and security audit functions. The usefulness of the tool is dependent on the SBOM data\nwhich is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool\nare therefore reminded that they should assert the quality of any data which is provided to the tool.\n\nWhen processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct [SPDX License Identifiers](https://spdx.org/licenses/). However, the\nuser of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthonyharrison%2Fsbom4files","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanthonyharrison%2Fsbom4files","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthonyharrison%2Fsbom4files/lists"}