Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/kubernetes-sigs/bom
A utility to generate SPDX-compliant Bill of Materials manifests
https://github.com/kubernetes-sigs/bom
bom go golang kubernetes sbom spdx
Last synced: about 1 month ago
JSON representation
A utility to generate SPDX-compliant Bill of Materials manifests
- Host: GitHub
- URL: https://github.com/kubernetes-sigs/bom
- Owner: kubernetes-sigs
- License: apache-2.0
- Created: 2021-11-19T13:06:36.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2024-05-27T07:06:40.000Z (7 months ago)
- Last Synced: 2024-05-28T22:58:37.161Z (7 months ago)
- Topics: bom, go, golang, kubernetes, sbom, spdx
- Language: Go
- Homepage: https://kubernetes-sigs.github.io/bom/
- Size: 16.2 MB
- Stars: 305
- Watchers: 11
- Forks: 43
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: code-of-conduct.md
- Security: .github/SECURITY.md
Awesome Lists containing this project
- awesome-software-supply-chain-security - bom - ![GitHub stars](https://img.shields.io/github/stars/kubernetes-sigs/bom?style=flat-square) - A utility to generate SPDX-compliant Bill of Materials manifests (Software Bill of Materials)
- awesome-starred - kubernetes-sigs/bom - A utility to generate SPDX-compliant Bill of Materials manifests (kubernetes)
README
# `bom`: The SBOM Multitool
[![PkgGoDev](https://pkg.go.dev/badge/sigs.k8s.io/bom)](https://pkg.go.dev/sigs.k8s.io/bom)
[![Go Report Card](https://goreportcard.com/badge/sigs.k8s.io/bom)](https://goreportcard.com/report/sigs.k8s.io/bom)
[![Slack](https://img.shields.io/badge/Slack-%23release--management-blueviolet)](https://kubernetes.slack.com/archives/C2C40FMNF)![bom The SBOM Multitool](logo/logo.png)
## What is `bom`?
`bom` is a utility that lets you create, view and transform Software Bills of
Materials (SBOMs). `bom` was created as part of the project to create an SBOM
for the Kubernetes project. It enables software authors to generate an
SBOM for their projects in a simple, yet powerful way.bom is a project incubating in the Linux Foundation's
[Automating Compliance Toling TAC](https://github.com/act-project/TAC)`bom` is a general-purpose tool that can generate SPDX packages from
directories, container images, single files, and other sources. The utility
has a built-in license classifier that recognizes the 400+ licenses in
the SPDX catalog.Other features include Golang dependency analysis and full `.gitignore`
support when scanning git repositories.For more in-depth instructions on how to create an SBOM for your project, see
["Generating a Bill of Materials for Your Project"](https://kubernetes-sigs.github.io/bom/tutorials/creating_bill_of_materials/).The guide includes information about what a Software Bill of Materials is,
the SPDX standard, and instructions to add files, images, directories, and
other sources to your SBOM.- [Installation](#installation)
- [Usage](#usage)
- [`bom generate`](#bom-generate)
- [`bom document`](#bom-document)
- [Examples](#examples)
- [Generate a SBOM from the Current Directory](#generate-a-sbom-from-the-current-directory)
- [Process a Container Image](#process-a-container-image)
- [Generate a SBOM to describe files](#generate-a-sbom-to-describe-files)
- [Code of conduct](#code-of-conduct)## Installation
To install `bom`:
```console
go install sigs.k8s.io/bom/cmd/bom@latest
```## Usage
- completion: generate the autocompletion script for the specified shell
- [document](#bom-document): Work with SPDX documents
- [generate](#bom-generate): Create SPDX manifests
- help: Help about any command### `bom generate`
`bom generate` is the `bom` subcommand to generate SPDX manifests.
Currently supports creating SBOM from files, images, and docker
archives (images in tarballs). It supports pulling images from
remote registries for analysis.bom can take a deeper look into images using a growing number
of analyzers designed to add more sense to common base images.The SBOM data can also be exported to an in-toto provenance
attestation. The output will produce a provenance statement listing all
the SPDX data as in-toto subjects, but otherwise ready to be
completed by a later stage in your CI/CD pipeline. See the
--provenance flag for more details.```console
Usage:
bom generate [flags]Flags:
-a, --analyze-images go deeper into images using the available analyzers
--archive strings list of archives to add as packages (supports tar, tar.gz)
-c, --config string path to yaml SBOM configuration file
-d, --dirs strings list of directories to include in the manifest as packages
-f, --file strings list of files to include
--format string format of the document (supports tag-value, json) (default "tag-value")
-h, --help help for generate
--ignore strings list of regexp patterns to ignore when scanning directories
-i, --image strings list of images
--image-archive strings list of docker archive tarballs to include in the manifest
-l, --license string SPDX license identifier to declare in the SBOM
--name string name for the document, in contrast to URLs, intended for humans
-n, --namespace string an URI that serves as namespace for the SPDX doc
--no-gitignore don't use exclusions from .gitignore files
--no-gomod don't perform go.mod analysis, sbom will not include data about go packages
--no-transient don't include transient go dependencies, only direct deps from go.mod
-o, --output string path to the file where the document will be written (defaults to STDOUT)
--provenance string path to export the SBOM as an in-toto provenance statement
--scan-images scan container images to look for OS information (currently debian only) (default true)Global Flags:
--log-level string the logging verbosity, either 'panic', 'fatal', 'error', 'warning', 'info', 'debug', 'trace' (default "info")```
### `bom document`
The `bom document subcommand` can visualize SBOMs as well as query them for
information.```console
bom document → Work with SPDX documentsUsage:
bom document [command]Available Commands:
outline bom document outline → Draw structure of a SPDX document
query bom document query → Search for information in an SBOM
```### `bom document outline`
Using `bom document outline` SBOM contents can be rendered too see how the
information they contain is structured. Here is an example rendering the
`debian:bookworm-slim` image for amd64:```
bom generate --output=debian.spdx --image \
debian@sha256:0aac521df91463e54189d82fe820b6d36b4a0992751c8339fbdd42e2bc1aa491 | bom document outline -bom document outline debian.spdx
_
___ _ __ __| |_ __
/ __| '_ \ / _` \ \/ /
\__ \ |_) | (_| |> <
|___/ .__/ \__,_/_/\_\
|_|📂 SPDX Document SBOM-SPDX-71f1009c-dc17-4f4d-b4ec-72210c1a8d7f
│
│ 📦 DESCRIBES 1 Packages
│
├ sha256:0aac521df91463e54189d82fe820b6d36b4a0992751c8339fbdd42e2bc1aa491
│ │ 🔗 1 Relationships
│ └ CONTAINS PACKAGE sha256:b37cbf60a964400132f658413bf66b67e5e67da35b9c080be137ff3c37cc7f65
│ │ │ 🔗 86 Relationships
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE bsdutils@1:2.38.1-4
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]+git20210903+057cd650a4ed-9
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE diffutils@1:3.8-3
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]~rc1-1+b1
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]
│ │ ├ CONTAINS PACKAGE [email protected]+nmu1
│ │ ├ CONTAINS PACKAGE [email protected][trimmed]
```
## Examples
The following examples show how bom can process different sources to generate
an SPDX Bill of Materials. Multiple sources can be combined to get a document
describing different packages.### Generate a SBOM from the Current Directory
To process a directory as a source for your SBOM, use the `-d` flag or simply pass
the path (or current dir) as the first argument to `bom generate`:```bash
bom generate .
```### Process a Container Image
This example pulls the `kube-apiserver` image, analyzes it, and describes in the
SBOM. Each of its layers are then expressed as a subpackage in the resulting
document:```console
bom generate -n http://example.com/ --image registry.k8s.io/kube-apiserver:v1.21.0
```### Generate a SBOM to describe files
You can create an SBOM with just files in the manifest. For that, use `-f`:
```console
bom generate -n http://example.com/ \
-f Makefile \
-f file1.exe \
-f document.md \
-f other/file.txt
```## Code of conduct
Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md).
| | | |
| --- | --- | -- |
| ![ACT TAC](logo/act-tac.png) | ![SPDX](logo/spdx.png) | ![Kubernetes](logo/kubernetes.png) |