https://github.com/jd-opensource/sbom-tool
SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.
https://github.com/jd-opensource/sbom-tool
Last synced: 6 months ago
JSON representation
SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.
- Host: GitHub
- URL: https://github.com/jd-opensource/sbom-tool
- Owner: jd-opensource
- License: mulanpsl-2.0
- Created: 2024-03-04T03:22:56.000Z (about 2 years ago)
- Default Branch: master
- Last Pushed: 2024-05-27T21:26:41.000Z (almost 2 years ago)
- Last Synced: 2025-04-13T18:11:44.874Z (about 1 year ago)
- Language: Go
- Homepage:
- Size: 21.2 MB
- Stars: 10
- Watchers: 2
- Forks: 3
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# SBOM-TOOL
English | [简体中文](./README_zh.md)
SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.
## Feature
### Information collection
- Collect source code engineering information, including warehouse address, version information, etc.
- Collect and generate code fingerprints
- Collecting engineering construction depends on environmental information
- Collect the dependent components built by the project
- Collect the final artifact package information
- Collect artifact content information, including file name type, check code, etc.
### SBOM document
- Assemble SBOM documents
- Standard format conversion,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
- Canonical format check,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
## Code fingerprint generation ability
| language | Is it supported|
|---------------|---------------------|
| `C/C++` | yes |
| `Java` | yes |
| `C#` | yes |
| `Dart` | yes |
| `Golang` | yes |
| `Javascript` | yes |
| `Objective-C` | yes |
| `Php` | yes |
| `Python` | yes |
| `Ruby` | yes |
| `Rust` | yes |
| `Swift` | yes |
| `Lua` | yes |
## Dependent packet scanning capability
Configuration file parsing and binary package parsing related to the following programming languages are now supported, and more programming languages will be supported step by step.
| Package Type | Package Manager | Parsing file | support dependency graph |
|-------------|--------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| `maven` | [Maven](https://maven.apache.org) |
- `pom.xml`
- `*.jar`
- `*.war`
- `[graph]maven-dependency-tree.txt(mvn dependency:tree -DoutputFile=maven-dependency-tree.txt)`
| `maven` | [Gradle](https://gradle.org) |
- `*.gradle`
- `.gradle.lockfile`
- `[graph]gradle-dependency-tree.txt(gradlew gradle-baseline-java:dependencies > gradle-dependency-tree.txt)`
| `conan` | [Conan](https://conan.io) |
- `conanfile.txt`
- `conan.lock`
- `[graph]conan-graph-info.json(conan graph info -f json > conan-graph-info.json)`
| `npm` | [NPM](https://www.npmjs.com) |
- `package.json`
- `package-lock.json`
| `npm` | [Yarn](https://yarnpkg.com) |
- `[graph]yarn.lock`
| `npm` | [PNPM](https://pnpm.io/) |
- `[graph]pnpm.lock`
| `golang` | [Go Module](https://go.dev/ref/mod) |
- `go.mod`
- `Go Binary file`
- `[graph]go-mod-graph.txt(go mod graph > go-mod-graph.txt)`
| `golang` | [Glide](https://github.com/Masterminds/glide) |
- `glide.yml`
- `glide.yaml`
| `golang` | [GoDep](https://github.com/tools/godep) |
- `Godeps.json`
| `golang` | [Dep](https://github.com/golang/dep) |
- `Gopkg.toml`
| `golang` | [GVT](https://github.com/FiloSottile/gvt) |
- `*/vendor/manifest`
| `pypi` | [PIP](https://pip.pypa.io) |
- `Pipfile.lock`
- `*dist-info/METADATA`
- `PKG-INFO`
- `*requirements*.txt`
- `setup.py`
- `[graph]pipenv-graph.txt(pipenv graph > pipenv-graph.txt)`
| `pypi` | [Poetry](https://python-poetry.org) |
- `[graph]poetry.lock`
| `conda` | [Conda](https://conda.io) |
- `environment.yml`
- `environment.yaml`
- `package-list.txt`
| `composer` | [Composer](https://getcomposer.org) |
- `composer.json`
- `composer.lock`
| `cargo` | [Cargo](https://doc.rust-lang.org/cargo) |
- `Cargo.toml`
- `[graph]Cargo.lock`
- `Rust Binary file`
| `carthage` | [Carthage](https://github.com/Carthage/Carthage) |
- `Cartfile`
- `Cartfile.resolved`
| `swift` | [SwiftPM](https://www.swift.org/package-manager) |
- `Package.swift`
| `cocoapods` | [Cocoapods](https://cocoapods.org) |
- `Podfile.lock`
- `Podfile`
- `*.podspec`
| `gem` | [Gem](https://rubygems.org) |
- `[graph]Gemfile.lock`
- `Gemfile`
- `*.gemspec`
| `nuget` | [NuGet](https://www.nuget.org) |
- `[graph]*.deps.json`
- `*.csproj`
- `*.vbproj`
- `*.fsproj`
- `*.vcproj`
- `*.nuget.dgspec.json`
- `*.nuspec`
- `packages.json`
- `packages.lock.json`
| `pub` | [Pub](https://pub.dev) |
- `[graph]pub-deps.json(dart pub deps --json > pub-deps.json)`
- `pubspec.lock`
- `pubspec.yaml`
| `rpm` | [RPM](https://rpm-packaging-guide.github.io) |
- `*.spec`
| `deb` | [DEB](https://deb.debian.org/debian) |
- `*.deb`
- `*.control`
| `lua` | [LuaRocks](https://luarocks.org) |
- `*.rockspec`
| `bower` | [Bower](https://bower.io) |
- `*.spec`
## Architecture
## Installation
1. Download source code compilation(`go 1.18` or above is required)
```shell
git clone git@gitee.com:JD-opensource/sbom-tool.git
cd sbom-tool
make
```
Generate program binaries for various system architectures by default
- Linux X86_64:sbom-tool-linux-amd64
- Linux arm64:sbom-tool-linux-arm64
- Windows X86_64:sbom-tool-windows-amd64.exe
- Windows arm64:sbom-tool-windows-arm64.exe
- MacOS amd64: sbom-tool-darwin-amd64
- MacOS arm64: sbom-tool-darwin-arm64
Or install via go install
```shell
go install gitee.com/JD-opensource/sbom-tool/cmd/sbom-tool@latest
```
Or install via downloading the binary: [SBOM-TOOL Releases](https://gitee.com/JD-opensource/sbom-tool/releases)
## Subcommands
| subcommand | function |
|---------------|--------------------|
| `help` | Help about any command |
| `artifact` | collect artifact information |
| `assembly` | assembly sbom document from document segments |
| `completion` | Generate the autocompletion script for the specified shell |
| `convert` | convert sbom document format |
| `env` | build environment info|
| `fingerprint` | generate code fingerprint |
| `generate` | generate sbom document |
| `package` | collect package dependencies |
| `source` | collect source code information |
| `validate` | validate sbom document format |
| `info` | get tool introduction information |
| `modify` | modify sbom document properties|
## Parameter description
|Parameters | Short parameter | describe | Use exampl |
| --------- |------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
| `--log-level ` | | log level (`debug`、`info`、`warn`、`error`) | `--log-level info` |
| `--log-path ` | | log output path (default "$home/sbom-tool/sbom-tool.log") | `--log-path /tmp/sbom.log` |
| `--quiet ` | `-q` | no console output | `--quiet` `-q` |
| `--ignore-dirs` | | dirs to ignore, skip all dot dirs, split by comma. sample: node_modules,logs | `--ignore-dirs log,logs` |
| `--language` | `-l` | programming language (Currently supported:`java`,`cpp`)(Default “*”) | `--language java` `-l cpp` |
| `--parallelism` | `-m` | number of parallelism(Default `8`) | `--parallelism 4` `-m 9` |
| `--output` | `-o` | output file,The result file is produced in the current directory by default. | `--output /tmp/sbom.json` |
| `--src` | `-s` | project source directory(use project root if empty) (default ".") | `--src /tmp/sbomtool/src/` |
| `--path` | `-p` | Specify the project project home directory; the assemble subcommand is used to specify the temporary document path for each phase | `--path /tmp/sbomtool/` |
| `--dist ` | `-d` | distribution directory (default ".") | `--dist /tmp/sbomtool/bin/` |
| `--format` | `-f` | Specify SBOM document format(Currently supported:`xspdx-json`、`spdx-json`、`spdx-tagvalue` )(Default `spdx-json`) | `--format xspdx-json` `-f spdx-json` |
| `--input` | `-i` | Specify the SBOM document as input | `--input /tmp/sbom.jsom` |
## SBOM Document specification and format
| specification | format | SBOM document format | status |
|:--------------|:-----------|:-----------------|:----|
| `XSPDX` | `JSON` | `xspdx-json` | Supported |
| `SPDX` | `JSON` | `spdx-json` | Supported |
| `SPDX` | `TagValue` | `spdx-tagvalue` | Supported |
## User guide
Generate code fingerprints only based on the source code path
```shell
sbom-tool fingerprint -m 4 -s ${src_path} -o fingerprint.json --ignore-dirs .git
```
Generate an SBOM document and specify the format
```shell
sbom-tool generate -m 4 -p ${project_path} -s ${src_path} -d ${dist_path} -o sbom.spdx.json -f spdx-json --ignore-dirs .git -n ${name} -v ${version} -u ${supplier} -b ${namespace}
```
Get tool introduction information
```shell
sbom-tool info
```
See [document](docs/en-US/user-guide.md) for details.
## Development guide
See for details [Development guide documentation](docs/en-US/development-guide.md)
## Problem feedback & contact us
If you encounter problems in use, you are welcome to submit ISSUE to us.
## How to Contribute
SBOM-TOOL is a open source software component analysis tool, look forward to your contribution.
## License
This project is licensed under **MulanPSL2** - see the [LICENSE](LICENSE) file for details.