English | 简体中文
SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.
- Collect source code engineering information, including warehouse address, version information, etc.
- Collect and generate code fingerprints
- Collecting engineering construction depends on environmental information
- Collect the dependent components built by the project
- Collect the final artifact package information
- Collect artifact content information, including file name type, check code, etc.
- Assemble SBOM documents
- Standard format conversion,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
- Canonical format check,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
language | Is it supported |
---|---|
C/C++ |
yes |
Java |
yes |
C# |
yes |
Dart |
yes |
Golang |
yes |
Javascript |
yes |
Objective-C |
yes |
Php |
yes |
Python |
yes |
Ruby |
yes |
Rust |
yes |
Swift |
yes |
Lua |
yes |
Configuration file parsing and binary package parsing related to the following programming languages are now supported, and more programming languages will be supported step by step.
Package Type | Package Manager | Parsing file | support dependency graph |
---|---|---|---|
maven |
Maven |
|
yes |
maven |
Gradle |
|
yes |
conan |
Conan |
|
yes |
npm |
NPM |
|
no |
npm |
Yarn |
|
yes |
npm |
PNPM |
|
yes |
golang |
Go Module |
|
yes |
golang |
Glide |
|
no |
golang |
GoDep |
|
no |
golang |
Dep |
|
no |
golang |
GVT |
|
no |
pypi |
PIP |
|
yes |
pypi |
Poetry |
|
yes |
conda |
Conda |
|
no |
composer |
Composer |
|
no |
cargo |
Cargo |
|
yes |
carthage |
Carthage |
|
no |
swift |
SwiftPM |
|
no |
cocoapods |
Cocoapods |
|
yes |
gem |
Gem |
|
yes |
nuget |
NuGet |
|
yes |
pub |
Pub |
|
yes |
rpm |
RPM |
|
no |
deb |
DEB |
|
no |
lua |
LuaRocks |
|
no |
bower |
Bower |
|
no |
- Download source code compilation(
go 1.18
or above is required)Generate program binaries for various system architectures by defaultgit clone git@gitee.com:JD-opensource/sbom-tool.git cd sbom-tool make
- Linux X86_64:sbom-tool-linux-amd64
- Linux arm64:sbom-tool-linux-arm64
- Windows X86_64:sbom-tool-windows-amd64.exe
- Windows arm64:sbom-tool-windows-arm64.exe
- MacOS amd64: sbom-tool-darwin-amd64
- MacOS arm64: sbom-tool-darwin-arm64
Or install via go install
go install gitee.com/JD-opensource/sbom-tool/cmd/sbom-tool@latest
Or install via downloading the binary: SBOM-TOOL Releases
subcommand | function |
---|---|
help |
Help about any command |
artifact |
collect artifact information |
assembly |
assembly sbom document from document segments |
completion |
Generate the autocompletion script for the specified shell |
convert |
convert sbom document format |
env |
build environment info |
fingerprint |
generate code fingerprint |
generate |
generate sbom document |
package |
collect package dependencies |
source |
collect source code information |
validate |
validate sbom document format |
info |
get tool introduction information |
modify |
modify sbom document properties |
Parameters | Short parameter | describe | Use exampl |
---|---|---|---|
--log-level |
log level (debug 、info 、warn 、error ) |
--log-level info |
|
--log-path |
log output path (default "$home/sbom-tool/sbom-tool.log") | --log-path /tmp/sbom.log |
|
--quiet |
-q |
no console output | --quiet -q |
--ignore-dirs |
dirs to ignore, skip all dot dirs, split by comma. sample: node_modules,logs | --ignore-dirs log,logs |
|
--language |
-l |
programming language (Currently supported:java ,cpp )(Default “*”) |
--language java -l cpp |
--parallelism |
-m |
number of parallelism(Default 8 ) |
--parallelism 4 -m 9 |
--output |
-o |
output file,The result file is produced in the current directory by default. | --output /tmp/sbom.json |
--src |
-s |
project source directory(use project root if empty) (default ".") | --src /tmp/sbomtool/src/ |
--path |
-p |
Specify the project project home directory; the assemble subcommand is used to specify the temporary document path for each phase | --path /tmp/sbomtool/ |
--dist |
-d |
distribution directory (default ".") | --dist /tmp/sbomtool/bin/ |
--format |
-f |
Specify SBOM document format(Currently supported:xspdx-json 、spdx-json 、spdx-tagvalue )(Default spdx-json ) |
--format xspdx-json -f spdx-json |
--input |
-i |
Specify the SBOM document as input | --input /tmp/sbom.jsom |
specification | format | SBOM document format | status |
---|---|---|---|
XSPDX |
JSON |
xspdx-json |
Supported |
SPDX |
JSON |
spdx-json |
Supported |
SPDX |
TagValue |
spdx-tagvalue |
Supported |
Generate code fingerprints only based on the source code path
sbom-tool fingerprint -m 4 -s ${src_path} -o fingerprint.json --ignore-dirs .git
Generate an SBOM document and specify the format
sbom-tool generate -m 4 -p ${project_path} -s ${src_path} -d ${dist_path} -o sbom.spdx.json -f spdx-json --ignore-dirs .git -n ${name} -v ${version} -u ${supplier} -b ${namespace}
Get tool introduction information
sbom-tool info
See document for details.
See for details Development guide documentation
If you encounter problems in use, you are welcome to submit ISSUE to us.
SBOM-TOOL is a open source software component analysis tool, look forward to your contribution.
This project is licensed under MulanPSL2 - see the LICENSE file for details.