{"id":18802416,"url":"https://github.com/jd-opensource/sbom-tool","last_synced_at":"2025-10-19T12:40:58.701Z","repository":{"id":225752561,"uuid":"766744314","full_name":"jd-opensource/sbom-tool","owner":"jd-opensource","description":"SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.","archived":false,"fork":false,"pushed_at":"2024-05-27T21:26:41.000Z","size":22243,"stargazers_count":10,"open_issues_count":3,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-13T18:11:44.874Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mulanpsl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jd-opensource.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-04T03:22:56.000Z","updated_at":"2025-02-04T10:17:42.000Z","dependencies_parsed_at":"2024-06-21T13:23:33.787Z","dependency_job_id":null,"html_url":"https://github.com/jd-opensource/sbom-tool","commit_stats":null,"previous_names":["jd-opensource/sbom-tool"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jd-opensource%2Fsbom-tool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jd-opensource%2Fsbom-tool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jd-opensource%2Fsbom-tool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jd-opensource%2Fsbom-tool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jd-opensource","download_url":"https://codeload.github.com/jd-opensource/sbom-tool/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248758418,"owners_count":21156957,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T22:28:02.197Z","updated_at":"2025-10-19T12:40:53.641Z","avatar_url":"https://github.com/jd-opensource.png","language":"Go","readme":"# SBOM-TOOL\nEnglish | [简体中文](./README_zh.md)\n\nSBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.\n## Feature\n\n### Information collection\n- Collect source code engineering information, including warehouse address, version information, etc.\n- Collect and generate code fingerprints\n- Collecting engineering construction depends on environmental information\n- Collect the dependent components built by the project\n- Collect the final artifact package information\n- Collect artifact content information, including file name type, check code, etc.\n### SBOM document\n- Assemble SBOM documents\n- Standard format conversion,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats\n- Canonical format check,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats\n\n## Code fingerprint generation ability\n\n| language | Is it supported|\n|---------------|---------------------|\n| `C/C++` | yes | \n| `Java` | yes | \n| `C#` | yes | \n| `Dart` | yes | \n| `Golang` | yes | \n| `Javascript` | yes | \n| `Objective-C` | yes | \n| `Php` | yes | \n| `Python` | yes | \n| `Ruby` | yes | \n| `Rust` | yes | \n| `Swift` | yes | \n| `Lua` | yes |\n\n\n## Dependent packet scanning capability\nConfiguration file parsing and binary package parsing related to the following programming languages are now supported, and more programming languages will be supported step by step.\n\n| Package Type | Package Manager | Parsing file | support dependency graph |\n|-------------|--------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|\n| `maven` | [Maven](https://maven.apache.org) | \u003cul\u003e\u003cli\u003e`pom.xml`\u003c/li\u003e \u003cli\u003e`*.jar`\u003c/li\u003e \u003cli\u003e`*.war`\u003c/li\u003e\u003cli\u003e`[graph]maven-dependency-tree.txt(mvn dependency:tree -DoutputFile=maven-dependency-tree.txt)`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `maven` | [Gradle](https://gradle.org) | \u003cul\u003e\u003cli\u003e`*.gradle`\u003c/li\u003e \u003cli\u003e`.gradle.lockfile`\u003c/li\u003e \u003cli\u003e`[graph]gradle-dependency-tree.txt(gradlew gradle-baseline-java:dependencies \u003e gradle-dependency-tree.txt)`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `conan` | [Conan](https://conan.io) | \u003cul\u003e\u003cli\u003e`conanfile.txt`\u003c/li\u003e \u003cli\u003e`conan.lock`\u003c/li\u003e\u003cli\u003e`[graph]conan-graph-info.json(conan graph info -f json \u003e conan-graph-info.json)`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `npm` | [NPM](https://www.npmjs.com) | \u003cul\u003e\u003cli\u003e`package.json`\u003c/li\u003e \u003cli\u003e`package-lock.json`\u003c/li\u003e\u003c/ul\u003e | no |\n| `npm` | [Yarn](https://yarnpkg.com) | \u003cul\u003e\u003cli\u003e`[graph]yarn.lock`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `npm` | [PNPM](https://pnpm.io/) | \u003cul\u003e\u003cli\u003e`[graph]pnpm.lock`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `golang` | [Go Module](https://go.dev/ref/mod) | \u003cul\u003e\u003cli\u003e`go.mod`\u003c/li\u003e \u003cli\u003e`Go Binary file`\u003c/li\u003e \u003cli\u003e`[graph]go-mod-graph.txt(go mod graph \u003e go-mod-graph.txt)` \u003c/li\u003e\u003c/ul\u003e | yes |\n| `golang` | [Glide](https://github.com/Masterminds/glide) | \u003cul\u003e\u003cli\u003e`glide.yml`\u003c/li\u003e \u003cli\u003e`glide.yaml`\u003c/li\u003e\u003c/ul\u003e | no |\n| `golang` | [GoDep](https://github.com/tools/godep) | \u003cul\u003e\u003cli\u003e`Godeps.json` \u003c/li\u003e\u003c/ul\u003e | no |\n| `golang` | [Dep](https://github.com/golang/dep) | \u003cul\u003e\u003cli\u003e`Gopkg.toml` \u003c/li\u003e\u003c/ul\u003e | no |\n| `golang` | [GVT](https://github.com/FiloSottile/gvt) | \u003cul\u003e\u003cli\u003e`*/vendor/manifest`\u003c/li\u003e\u003c/ul\u003e | no |\n| `pypi` | [PIP](https://pip.pypa.io) | \u003cul\u003e\u003cli\u003e`Pipfile.lock`\u003c/li\u003e \u003cli\u003e`*dist-info/METADATA`\u003c/li\u003e \u003cli\u003e`PKG-INFO`\u003c/li\u003e \u003cli\u003e`*requirements*.txt`\u003c/li\u003e \u003cli\u003e`setup.py` \u003c/li\u003e\u003cli\u003e`[graph]pipenv-graph.txt(pipenv graph \u003e pipenv-graph.txt)`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `pypi` | [Poetry](https://python-poetry.org) | \u003cul\u003e\u003cli\u003e`[graph]poetry.lock`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `conda` | [Conda](https://conda.io) | \u003cul\u003e\u003cli\u003e`environment.yml`\u003c/li\u003e \u003cli\u003e`environment.yaml`\u003c/li\u003e \u003cli\u003e`package-list.txt`\u003c/li\u003e\u003c/ul\u003e | no |\n| `composer` | [Composer](https://getcomposer.org) | \u003cul\u003e\u003cli\u003e`composer.json`\u003c/li\u003e \u003cli\u003e`composer.lock`\u003c/li\u003e\u003c/ul\u003e | no |\n| `cargo` | [Cargo](https://doc.rust-lang.org/cargo) | \u003cul\u003e\u003cli\u003e`Cargo.toml`\u003c/li\u003e \u003cli\u003e`[graph]Cargo.lock`\u003c/li\u003e \u003cli\u003e`Rust Binary file`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `carthage` | [Carthage](https://github.com/Carthage/Carthage) | \u003cul\u003e\u003cli\u003e`Cartfile`\u003c/li\u003e \u003cli\u003e`Cartfile.resolved`\u003c/li\u003e\u003c/ul\u003e | no |\n| `swift` | [SwiftPM](https://www.swift.org/package-manager) | \u003cul\u003e\u003cli\u003e`Package.swift`\u003c/li\u003e\u003c/ul\u003e | no |\n| `cocoapods` | [Cocoapods](https://cocoapods.org) | \u003cul\u003e\u003cli\u003e`Podfile.lock`\u003c/li\u003e\u003cli\u003e`Podfile`\u003c/li\u003e \u003cli\u003e`*.podspec`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `gem` | [Gem](https://rubygems.org) | \u003cul\u003e\u003cli\u003e `[graph]Gemfile.lock`\u003c/li\u003e\u003cli\u003e`Gemfile`\u003c/li\u003e \u003cli\u003e`*.gemspec`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `nuget` | [NuGet](https://www.nuget.org) | \u003cul\u003e\u003cli\u003e`[graph]*.deps.json`\u003c/li\u003e \u003cli\u003e`*.csproj`\u003c/li\u003e \u003cli\u003e`*.vbproj`\u003c/li\u003e \u003cli\u003e`*.fsproj`\u003c/li\u003e \u003cli\u003e`*.vcproj`\u003c/li\u003e \u003cli\u003e`*.nuget.dgspec.json`\u003c/li\u003e \u003cli\u003e`*.nuspec`\u003c/li\u003e \u003cli\u003e`packages.json`\u003c/li\u003e \u003cli\u003e`packages.lock.json` \u003c/li\u003e\u003c/ul\u003e | yes |\n| `pub` | [Pub](https://pub.dev) | \u003cul\u003e\u003cli\u003e`[graph]pub-deps.json(dart pub deps --json \u003e pub-deps.json)`\u003c/li\u003e \u003cli\u003e`pubspec.lock`\u003c/li\u003e \u003cli\u003e`pubspec.yaml`\u003c/li\u003e\u003c/ul\u003e | yes |\n| `rpm` | [RPM](https://rpm-packaging-guide.github.io) | \u003cul\u003e\u003cli\u003e`*.spec`\u003c/li\u003e\u003c/ul\u003e | no |\n| `deb` | [DEB](https://deb.debian.org/debian) | \u003cul\u003e\u003cli\u003e`*.deb`\u003c/li\u003e\u003cli\u003e`*.control`\u003c/li\u003e\u003c/ul\u003e | no |\n| `lua` | [LuaRocks](https://luarocks.org) | \u003cul\u003e\u003cli\u003e`*.rockspec`\u003c/li\u003e\u003c/ul\u003e | no |\n| `bower` | [Bower](https://bower.io) | \u003cul\u003e\u003cli\u003e`*.spec`\u003c/li\u003e\u003c/ul\u003e | no |\n\n\n\n## Architecture\n![SBOM-TOOL architecture](./docs/img/arch.png)\n\n\n\n## Installation\n1. Download source code compilation(`go 1.18` or above is required)\n ```shell\n git clone git@gitee.com:JD-opensource/sbom-tool.git\n cd sbom-tool\n make\n ```\n Generate program binaries for various system architectures by default\n - Linux X86_64:sbom-tool-linux-amd64\n - Linux arm64:sbom-tool-linux-arm64\n - Windows X86_64:sbom-tool-windows-amd64.exe\n - Windows arm64:sbom-tool-windows-arm64.exe\n - MacOS amd64: sbom-tool-darwin-amd64\n - MacOS arm64: sbom-tool-darwin-arm64\n\nOr install via go install\n ```shell\n go install gitee.com/JD-opensource/sbom-tool/cmd/sbom-tool@latest\n ```\nOr install via downloading the binary: [SBOM-TOOL Releases](https://gitee.com/JD-opensource/sbom-tool/releases)\n## Subcommands\n\n\n| subcommand | function |\n|---------------|--------------------|\n| `help` | Help about any command | \n| `artifact` | collect artifact information |\n| `assembly` | assembly sbom document from document segments | \n| `completion` | Generate the autocompletion script for the specified shell | \n| `convert` | convert sbom document format | \n| `env` | build environment info| \n| `fingerprint` | generate code fingerprint | \n| `generate` | generate sbom document |\n| `package` | collect package dependencies | \n| `source` | collect source code information | \n| `validate` | validate sbom document format | \n| `info` | get tool introduction information | \n| `modify` | modify sbom document properties| \n\n## Parameter description\n\n|Parameters | Short parameter | describe | Use exampl |\n| --------- |------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|\n| `--log-level ` | | log level (`debug`、`info`、`warn`、`error`) | `--log-level info` |\n| `--log-path ` | | log output path (default \"$home/sbom-tool/sbom-tool.log\") | `--log-path /tmp/sbom.log` |\n| `--quiet ` | `-q` | no console output | `--quiet` \u003c/br\u003e`-q` |\n| `--ignore-dirs` | | dirs to ignore, skip all dot dirs, split by comma. sample: node_modules,logs | `--ignore-dirs log,logs` |\n| `--language` | `-l` | programming language (Currently supported:`java`,`cpp`)(Default “*”) | `--language java` \u003c/br\u003e`-l cpp` |\n| `--parallelism` | `-m` | number of parallelism(Default `8`) | `--parallelism 4` \u003c/br\u003e`-m 9` |\n| `--output` | `-o` | output file,The result file is produced in the current directory by default. | `--output /tmp/sbom.json` |\n| `--src` | `-s` | project source directory(use project root if empty) (default \".\") | `--src /tmp/sbomtool/src/` |\n| `--path` | `-p` | Specify the project project home directory; the assemble subcommand is used to specify the temporary document path for each phase | `--path /tmp/sbomtool/` |\n| `--dist ` | `-d` | distribution directory (default \".\") | `--dist /tmp/sbomtool/bin/` |\n| `--format` | `-f` | Specify SBOM document format(Currently supported:`xspdx-json`、`spdx-json`、`spdx-tagvalue` )(Default `spdx-json`) | `--format xspdx-json` \u003c/br\u003e`-f spdx-json` |\n| `--input` | `-i` | Specify the SBOM document as input | `--input /tmp/sbom.jsom` |\n\n## SBOM Document specification and format\n\n| specification | format | SBOM document format | status |\n|:--------------|:-----------|:-----------------|:----|\n| `XSPDX` | `JSON` | `xspdx-json` | Supported |\n| `SPDX` | `JSON` | `spdx-json` | Supported |\n| `SPDX` | `TagValue` | `spdx-tagvalue` | Supported |\n## User guide\nGenerate code fingerprints only based on the source code path\n\n```shell\nsbom-tool fingerprint -m 4 -s ${src_path} -o fingerprint.json --ignore-dirs .git\n```\n\nGenerate an SBOM document and specify the format\n\n```shell\nsbom-tool generate -m 4 -p ${project_path} -s ${src_path} -d ${dist_path} -o sbom.spdx.json -f spdx-json --ignore-dirs .git -n ${name} -v ${version} -u ${supplier} -b ${namespace}\n```\n\nGet tool introduction information\n\n```shell\nsbom-tool info\n```\n\nSee [document](docs/en-US/user-guide.md) for details.\n\n## Development guide\nSee for details [Development guide documentation](docs/en-US/development-guide.md)\n\n## Problem feedback \u0026 contact us\nIf you encounter problems in use, you are welcome to submit ISSUE to us.\n\n## How to Contribute\nSBOM-TOOL is a open source software component analysis tool, look forward to your contribution.\n\n## License\nThis project is licensed under **MulanPSL2** - see the [LICENSE](LICENSE) file for details.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjd-opensource%2Fsbom-tool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjd-opensource%2Fsbom-tool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjd-opensource%2Fsbom-tool/lists"}