Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/interlynk-io/sbomgr
SBOM Grep - search through SBOMs
https://github.com/interlynk-io/sbomgr
cyclonedx devsecops devsecops-pipeline go golang gomodule sbom-tool spdx supplychain
Last synced: 3 months ago
JSON representation
SBOM Grep - search through SBOMs
- Host: GitHub
- URL: https://github.com/interlynk-io/sbomgr
- Owner: interlynk-io
- License: apache-2.0
- Created: 2023-02-25T02:43:13.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-04-26T17:22:14.000Z (7 months ago)
- Last Synced: 2024-04-27T02:46:05.206Z (7 months ago)
- Topics: cyclonedx, devsecops, devsecops-pipeline, go, golang, gomodule, sbom-tool, spdx, supplychain
- Language: Go
- Homepage:
- Size: 273 KB
- Stars: 16
- Watchers: 3
- Forks: 1
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-sbom - Interlynk SBOM Grep
README
# `sbomgr`: SBOM Grep :mag: - Search through SBOMs
[](https://pkg.go.dev/github.com/interlynk-io/sbomgr)
[](https://goreportcard.com/report/github.com/interlynk-io/sbomgr)
[](https://securityscorecards.dev/viewer/?uri=github.com/interlynk-io/sbomgr)
`sbomgr` is a grep like command line utility to help search the SBOM repository based on criteria like the name, checksum, CPE, and PURL.
```sh
go install github.com/interlynk-io/sbomgr@latest
```
other installations [options](#installation)
# SBOM Card
[](https://app.interlynk.io/customer/products?id=e8e2ba0c-3d04-4a2e-9b37-dca774bd08bd&signed_url_params=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqSmtaakkyTkRRMUxXSTBaR0V0TkdJME9TMWhPVFpqTFRBd09UZGtZMlptTWpabU9TST0iLCJleHAiOm51bGwsInB1ciI6InNoYXJlX2x5bmsvc2hhcmVfbHluayJ9fQ==--6d74d14e40d6676522b1c529d44e4a320f05bcf3d42121e61e1275a1297a3453)
# Basic usage
Search for packages with exact name matching "abbrev".
```sh
sbomgr packages -N 'abbrev'
```
Search for packages with regexp name matching "log4"
```sh
sbomgr packages -EN 'log4'
```
Search for packages in air gapped environment for name matching "log4"
```sh
export INTERLYNK_DISABLE_VERSION_CHECK=true sbomgr packages -EN 'log4'
```
# Features
- SBOM format agnostic and currently supports searching through SPDX and CycloneDX.
- Blazing Fast :rocket:
- Output search results as [jsonl](https://jsonlines.org/).
- Supports RE2 [regular expressions](https://github.com/google/re2/wiki/Syntax)
# Use cases
`sbomgr` can answer some of the most common SBOM use cases by searching an SBOM file or SBOM repository.
#### How many SBOM and packages exist in the repository?
```sh
➜ sbomgr packages -c ~/data/sbom-repo/docker-images
sbom_files_matched: 86
packages_matched: 33556
```
#### Are there packages with `zlib` in the name?
```sh
➜ sbomgr packages -cEN 'zlib' ~/data/sbom-repo/docker-images
sbom_files_matched: 71
packages_matched: 145
```
#### Are there packages with a given checksum?
```sh
➜ sbomgr packages -c -H '5c260231de4f62ee26888776190b4c3fda6cbe14' ~/data/sbom-repo/docker-images
sbom_files_matched: 2
packages_matched: 2
```
#### Create a json report of packages with .zip files
```sh
➜ sbomgr packages -jrE -N '\.zip$' ~/data/ | jq .
{
"path": "/home/riteshno/data/spdx-trivy-circleci_clojure-sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76.json",
"format": "json",
"spec": "spdx",
"product_name": "circleci/clojure@sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76",
"packages": [
{
"name": "org.clojure:data.zip",
"version": "0.1.3",
"purl": "pkg:maven/org.clojure/[email protected]"
}
],
"matched": true
}
```
#### Create a json report of all licenses included in an sbom
```sh
➜ sbomgr packages -jl ~/data/some-sboms/julia.spdx | jq .
{
"path": "/home/riteshno/data/some-sboms/julia.spdx",
"format": "tag-value",
"spec": "spdx",
"product_name": "julia-spdx",
"packages": [
{
"name": "Julia",
"version": "1.8.0-DEV",
"license": [
{
"name": "MIT License",
"short": "MIT"
}
]
},
```
#### During CI check if a malicious package is present??
```sh
➜ sbomgr packages -qN 'abbrev' ~/tmp/app.spdx.json
➜ echo $?
0
➜ sbomgr packages -qN 'abbrev-random' ~/tmp/app.spdx.json
➜ echo $?
1
```
#### extract data using user-defined output
```sh
sbomgr packages -O 'toolv,tooln,pkgn,pkgv' ~/tmp/app.spdx.json
2.0.88 Microsoft.SBOMTool Coordinated Packages 229170
2.0.88 Microsoft.SBOMTool chalk 2.4.2
2.0.88 Microsoft.SBOMTool async-settle 1.0.0
```
#### Using containerized sbomgr
```sh
$docker run [volume-maps] ghcr.io/interlynk-io/sbomgr [command] [options]
```
Example
```sh
$docker run -v ~/interlynk/sbomlc/:/app/sbomlc ghcr.io/interlynk-io/sbomgr packages -c /app/sbomlc
```
```
Unable to find image 'ghcr.io/interlynk-io/sbomgr:latest' locally
latest: Pulling from interlynk-io/sbomgr
479c7812d0ff: Already exists
5b3064dc8fe2: Already exists
Digest: sha256:d359b7e6e2b870542500dc00967ca2c5a4e78c8f1658b5c6dbdc8330effe38f8
Status: Downloaded newer image for ghcr.io/interlynk-io/sbomgr:latest
A new version of sbomgr is available v0.0.6.
Matching file count: 3153
Matching package count: 716953
```
# Search flags
## Packages
This section explains the flags relevant to the packages search feature.
The packages search takes only a single argument, either a file or a directory. There are man flags which can be specified to control its behaviour.
#### *Match Criteria*
---
- `-N` or `--name` used for package/component name search.
- `-C` or `--cpe` used for package/component cpe search.
- `-P` or `--purl` used for pacakge/component purl search.
- `-H` or `--checksum` used for package/component checksum value search.
all of these match criteria are exclusive to each other.
#### *Patter Matching*
---------
- `-E` or `--extended-regexp` flag can be used to indicate if the match criteria is a regular expression. Syntax supported is https://github.com/google/re2/wiki/Syntax.
#### *Matching Control*
-----
- `-i` or `--ignore-case` case insensitive matching.
#### *Output Control*
----
- `-l` or `--license` this includes the license of the package/component in the output.
- `-q` or `--quiet` this suppresses all output of the tool, the return value of the tool is 0 indicating success, if it finds the search criteria.
- `--no-filename` removes the filename from the output.
- `-j` or `--jsonl` outputs the search results in [jsonl](https://jsonlines.org/).
- `-p` or `--print-errors` includes errors encoundered during searching. Default is to ignore them.
- `-O` or `--output-format` user-defined output format. Options are listed below
- `filen` - filepath
- `tooln` - tool with which sbom was generated, only prints the first one
- `toolv` - tool version
- `docn` - sbom document name
- `docv` - sbom document version
- `cpe` - package cpe, only prints the first one, indicates how many cpe's exists.
- `purl` - package purl
- `pkgn` - package name
- `pkgv` - package version
- `pkgl` - package licenses
- `specn` - spec of the sbom document, spdx or cdx.
- `chkn` - checksum name
- `chkv` - checksum value
#### *Stats Control*
----
- `-c` or `--count` suppresses the normal output and print matching counts of sbom filenames and packages.
#### *Directory Control*
----
- `-r` or `--recurse` when set, recursively scans all sub directories.
#### *Spec Control*
----
- `--spdx` searches only files which are SPDX.
- `--cdx` searches only files which are CycloneDX.
# Future work
- Search using files.
- Search using tool metadata.
- Search using CVE-ID.
- Search only direct dependencies.
- Search until a specified depth.
- Provide a list of malicious packages
# SBOM Samples
- A sample set of SBOM is present in the [samples](https://github.com/interlynk-io/sbomgr/tree/main/samples) directory above.
- [SBOM Benchmark](https://www.sbombenchmark.dev) is a repository of SBOM and quality score for most popular containers and repositories
- [SBOM Explorer](https://github.com/interlynk-io/sbomex) is a command line utility to search and pull SBOMs
# Installation
## Using Prebuilt binaries
```console
https://github.com/interlynk-io/sbomgr/releases
```
## Using Homebrew
```console
brew tap interlynk-io/interlynk
brew install sbomgr
```
## Using Go install
```console
go install github.com/interlynk-io/sbomgr@latest
```
## Using repo
This approach involves cloning the repo and building it.
1. Clone the repo `git clone [email protected]:interlynk-io/sbomgr.git`
2. `cd` into `sbomgr` folder
3. make build
4. To test if the build was successful run the following command `./build/sbomgr version`
# Contributions
We look forward to your contributions, below are a few guidelines on how to submit them
- Fork the repo
- Create your feature/bug branch (`git checkout -b feature/new-feature`)
- Commit your changes (`git commit -am "awesome new feature"`)
- Push your changes (`git push origin feature/new-feature`)
- Create a new pull-request
# Other SBOM Open Source tools
- [SBOM Assembler](https://github.com/interlynk-io/sbomasm) - A tool to compose a single SBOM by combining other (part) SBOMs
- [SBOM Quality Score](https://github.com/interlynk-io/sbomqs) - A tool for evaluating the quality and completeness of SBOMs
- [SBOM Search Tool](https://github.com/interlynk-io/sbomagr) - A tool to grep style semantic search in SBOMs
- [SBOM Explorer](https://github.com/interlynk-io/sbomex) - A tool for discovering and downloading SBOM from a public repository
# Contact
We appreciate all feedback. The best ways to get in touch with us:
- :phone: [Live Chat](https://www.interlynk.io/#hs-chat-open)
- 📫 [Email Us](mailto:[email protected])
- 🐛 [Report a bug or enhancement](https://github.com/interlynk-io/sbomex/issues)
- :x: [Follow us on X](https://twitter.com/InterlynkIo)
# Stargazers
If you like this project, please support us by starring it.
[](https://starchart.cc/interlynk-io/sbomgr)