# sbom-tool
**Repository Path**: itwennet/sbom-tool
## Basic Information
- **Project Name**: sbom-tool
- **Description**: SBOM-TOOL 是通过源码仓库、代码指纹、构建环境、制品信息、制品内容、依赖组件等多种维度信息,为软件项目生成软件物料清单(SBOM)的一款CLI工具。
- **Primary Language**: Go
- **License**: MulanPSL-2.0
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 0
- **Forks**: 60
- **Created**: 2024-05-27
- **Last Updated**: 2024-05-27
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
# SBOM-TOOL
English | [简体中文](./README_zh.md)
SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.
## Feature
### Information collection
- Collect source code engineering information, including warehouse address, version information, etc.
- Collect and generate code fingerprints
- Collecting engineering construction depends on environmental information
- Collect the dependent components built by the project
- Collect the final artifact package information
- Collect artifact content information, including file name type, check code, etc.
### SBOM document
- Assemble SBOM documents
- Standard format conversion,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
- Canonical format check,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
## Code fingerprint generation ability
| language | Is it supported|
|---------------|---------------------|
| `C/C++` | yes |
| `Java` | yes |
| `C#` | yes |
| `Dart` | yes |
| `Golang` | yes |
| `Javascript` | yes |
| `Objective-C` | yes |
| `Php` | yes |
| `Python` | yes |
| `Ruby` | yes |
| `Rust` | yes |
| `Swift` | yes |
| `Lua` | yes |
## Dependent packet scanning capability
Configuration file parsing and binary package parsing related to the following programming languages are now supported, and more programming languages will be supported step by step.
| Package Type | Package Manager | Parsing file | support dependency graph |
|-------------|--------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| `maven` | [Maven](https://maven.apache.org) | - `pom.xml`
- `*.jar`
- `*.war`
- `[graph]maven-dependency-tree.txt(mvn dependency:tree -DoutputFile=maven-dependency-tree.txt)`
| yes |
| `maven` | [Gradle](https://gradle.org) | - `*.gradle`
- `.gradle.lockfile`
- `[graph]gradle-dependency-tree.txt(gradlew gradle-baseline-java:dependencies > gradle-dependency-tree.txt)`
| yes |
| `conan` | [Conan](https://conan.io) | - `conanfile.txt`
- `conan.lock`
- `[graph]conan-graph-info.json(conan graph info -f json > conan-graph-info.json)`
| yes |
| `npm` | [NPM](https://www.npmjs.com) | - `package.json`
- `package-lock.json`
| no |
| `npm` | [Yarn](https://yarnpkg.com) | | yes |
| `npm` | [PNPM](https://pnpm.io/) | | yes |
| `golang` | [Go Module](https://go.dev/ref/mod) | - `go.mod`
- `Go Binary file`
- `[graph]go-mod-graph.txt(go mod graph > go-mod-graph.txt)`
| yes |
| `golang` | [Glide](https://github.com/Masterminds/glide) | | no |
| `golang` | [GoDep](https://github.com/tools/godep) | | no |
| `golang` | [Dep](https://github.com/golang/dep) | | no |
| `golang` | [GVT](https://github.com/FiloSottile/gvt) | | no |
| `pypi` | [PIP](https://pip.pypa.io) | - `Pipfile.lock`
- `*dist-info/METADATA`
- `PKG-INFO`
- `*requirements*.txt`
- `setup.py`
- `[graph]pipenv-graph.txt(pipenv graph > pipenv-graph.txt)`
| yes |
| `pypi` | [Poetry](https://python-poetry.org) | | yes |
| `conda` | [Conda](https://conda.io) | - `environment.yml`
- `environment.yaml`
- `package-list.txt`
| no |
| `composer` | [Composer](https://getcomposer.org) | - `composer.json`
- `composer.lock`
| no |
| `cargo` | [Cargo](https://doc.rust-lang.org/cargo) | - `Cargo.toml`
- `[graph]Cargo.lock`
- `Rust Binary file`
| yes |
| `carthage` | [Carthage](https://github.com/Carthage/Carthage) | - `Cartfile`
- `Cartfile.resolved`
| no |
| `swift` | [SwiftPM](https://www.swift.org/package-manager) | | no |
| `cocoapods` | [Cocoapods](https://cocoapods.org) | - `Podfile.lock`
- `Podfile`
- `*.podspec`
| yes |
| `gem` | [Gem](https://rubygems.org) | - `[graph]Gemfile.lock`
- `Gemfile`
- `*.gemspec`
| yes |
| `nuget` | [NuGet](https://www.nuget.org) | - `[graph]*.deps.json`
- `*.csproj`
- `*.vbproj`
- `*.fsproj`
- `*.vcproj`
- `*.nuget.dgspec.json`
- `*.nuspec`
- `packages.json`
- `packages.lock.json`
| yes |
| `pub` | [Pub](https://pub.dev) | - `[graph]pub-deps.json(dart pub deps --json > pub-deps.json)`
- `pubspec.lock`
- `pubspec.yaml`
| yes |
| `rpm` | [RPM](https://rpm-packaging-guide.github.io) | | no |
| `deb` | [DEB](https://deb.debian.org/debian) | | no |
| `lua` | [LuaRocks](https://luarocks.org) | | no |
| `bower` | [Bower](https://bower.io) | | no |
## Architecture
## Installation
1. Download source code compilation(`go 1.18` or above is required)
```shell
git clone git@gitee.com:JD-opensource/sbom-tool.git
cd sbom-tool
make
```
Generate program binaries for various system architectures by default
- Linux X86_64:sbom-tool-linux-amd64
- Linux arm64:sbom-tool-linux-arm64
- Windows X86_64:sbom-tool-windows-amd64.exe
- Windows arm64:sbom-tool-windows-arm64.exe
- MacOS amd64: sbom-tool-darwin-amd64
- MacOS arm64: sbom-tool-darwin-arm64
Or install via go install
```shell
go install gitee.com/JD-opensource/sbom-tool/cmd/sbom-tool@latest
```
Or install via downloading the binary: [SBOM-TOOL Releases](https://gitee.com/JD-opensource/sbom-tool/releases)
## Subcommands
| subcommand | function |
|---------------|--------------------|
| `help` | Help about any command |
| `artifact` | collect artifact information |
| `assembly` | assembly sbom document from document segments |
| `completion` | Generate the autocompletion script for the specified shell |
| `convert` | convert sbom document format |
| `env` | build environment info|
| `fingerprint` | generate code fingerprint |
| `generate` | generate sbom document |
| `package` | collect package dependencies |
| `source` | collect source code information |
| `validate` | validate sbom document format |
| `info` | get tool introduction information |
| `modify` | modify sbom document properties|
## Parameter description
|Parameters | Short parameter | describe | Use exampl |
| --------- |------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
| `--log-level ` | | log level (`debug`、`info`、`warn`、`error`) | `--log-level info` |
| `--log-path ` | | log output path (default "$home/sbom-tool/sbom-tool.log") | `--log-path /tmp/sbom.log` |
| `--quiet ` | `-q` | no console output | `--quiet` `-q` |
| `--ignore-dirs` | | dirs to ignore, skip all dot dirs, split by comma. sample: node_modules,logs | `--ignore-dirs log,logs` |
| `--language` | `-l` | programming language (Currently supported:`java`,`cpp`)(Default “*”) | `--language java` `-l cpp` |
| `--parallelism` | `-m` | number of parallelism(Default `8`) | `--parallelism 4` `-m 9` |
| `--output` | `-o` | output file,The result file is produced in the current directory by default. | `--output /tmp/sbom.json` |
| `--src` | `-s` | project source directory(use project root if empty) (default ".") | `--src /tmp/sbomtool/src/` |
| `--path` | `-p` | Specify the project project home directory; the assemble subcommand is used to specify the temporary document path for each phase | `--path /tmp/sbomtool/` |
| `--dist ` | `-d` | distribution directory (default ".") | `--dist /tmp/sbomtool/bin/` |
| `--format` | `-f` | Specify SBOM document format(Currently supported:`xspdx-json`、`spdx-json`、`spdx-tagvalue` )(Default `spdx-json`) | `--format xspdx-json` `-f spdx-json` |
| `--input` | `-i` | Specify the SBOM document as input | `--input /tmp/sbom.jsom` |
## SBOM Document specification and format
| specification | format | SBOM document format | status |
|:--------------|:-----------|:-----------------|:----|
| `XSPDX` | `JSON` | `xspdx-json` | Supported |
| `SPDX` | `JSON` | `spdx-json` | Supported |
| `SPDX` | `TagValue` | `spdx-tagvalue` | Supported |
## User guide
Generate code fingerprints only based on the source code path
```shell
sbom-tool fingerprint -m 4 -s ${src_path} -o fingerprint.json --ignore-dirs .git
```
Generate an SBOM document and specify the format
```shell
sbom-tool generate -m 4 -p ${project_path} -s ${src_path} -d ${dist_path} -o sbom.spdx.json -f spdx-json --ignore-dirs .git -n ${name} -v ${version} -u ${supplier} -b ${namespace}
```
Get tool introduction information
```shell
sbom-tool info
```
See [document](docs/en-US/user-guide.md) for details.
## Development guide
See for details [Development guide documentation](docs/en-US/development-guide.md)
## Problem feedback & contact us
If you encounter problems in use, you are welcome to submit ISSUE to us.
## How to Contribute
SBOM-TOOL is a open source software component analysis tool, look forward to your contribution.
## License
This project is licensed under **MulanPSL2** - see the [LICENSE](LICENSE) file for details.