Git Product home page Git Product logo

sbom2doc's Introduction

SBOM2DOC

SBOM2DOC documents and summarises the components within an SBOM (Software Bill of Materials). SBOMS are supported in a number of formats including SPDX and CycloneDX.

Installation

To install use the following command:

pip install sbom2doc

Alternatively, just clone the repo and install dependencies using the following command:

pip install -U -r requirements.txt

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which allows you to have all the dependencies for the tool set up in a single environment, or have different environments set up for testing using different versions of Python.

Usage

usage: sbom2doc [-h] [-i INPUT_FILE] [--debug] [--include-license] [-f {console,json,markdown,pdf}] [-o OUTPUT_FILE] [-V]

SBOM2doc generates documentation for a SBOM.

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -i INPUT_FILE, --input-file INPUT_FILE
                        Name of SBOM file

Output:
  --debug               add debug information
  --include-license     add license text
  -f {console,json,markdown,pdf}, --format {console,json,markdown,pdf}
                        Output format (default: output to console)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)

Operation

The --input-file option is used to specify the SBOM to be processed. The format of the SBOM is determined according to the following filename conventions.

SBOM Format Filename extension
SPDX TagValue .spdx
SPDX JSON .spdx.json
SPDX YAML .spdx.yaml
SPDX YAML .spdx.yml
CycloneDX JSON .json

The --output-file option is used to control the destination of the output generated by the tool. The default is to report to the console, but it can also be stored in a file (specified using --output-file option).

The --include-license option is used to indicate if the text for the licenses is to be included in the output.

Example

Given the following SBOM (flask.spdx)

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Python-flask
DocumentNamespace: http://spdx.org/spdxdocs/Python-flask-f95bd9a2-1442-4631-9b13-870422204ed4
LicenseListVersion: 3.21
Creator: Tool: sbom4python-0.10.0
Created: 2023-08-17T20:28:31Z
CreatorComment: <text>This document has been automatically generated.</text>
##### 

PackageName: flask
SPDXID: SPDXRef-Package-1-flask
PackageVersion: 2.2.2
PrimaryPackagePurpose: APPLICATION
PackageSupplier: Person: Armin Ronacher ([email protected])
PackageDownloadLocation: https://pypi.org/project/Flask/2.2.2
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
PackageLicenseConcluded: BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: <text>A simple framework for building complex web applications.</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:flask:2.2.2:*:*:*:*:*:*:*
##### 

PackageName: click
SPDXID: SPDXRef-Package-2-click
PackageVersion: 8.0.3
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Armin Ronacher ([email protected])
PackageDownloadLocation: https://pypi.org/project/click/8.0.3
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
PackageLicenseConcluded: BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: <text>Composable command line interface toolkit</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:click:8.0.3:*:*:*:*:*:*:*
##### 

PackageName: itsdangerous
SPDXID: SPDXRef-Package-3-itsdangerous
PackageVersion: 2.1.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Armin Ronacher ([email protected])
PackageDownloadLocation: https://pypi.org/project/itsdangerous/2.1.2
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
PackageLicenseConcluded: BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: <text>Safely pass data to untrusted environments and back.</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:itsdangerous:2.1.2:*:*:*:*:*:*:*
##### 

PackageName: jinja2
SPDXID: SPDXRef-Package-4-jinja2
PackageVersion: 3.0.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Armin Ronacher ([email protected])
PackageDownloadLocation: https://pypi.org/project/Jinja2/3.0.2
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
PackageLicenseConcluded: BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: <text>A very fast and expressive template engine.</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.0.2:*:*:*:*:*:*:*
##### 

PackageName: markupsafe
SPDXID: SPDXRef-Package-5-markupsafe
PackageVersion: 2.1.1
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Armin Ronacher ([email protected])
PackageDownloadLocation: https://pypi.org/project/MarkupSafe/2.1.1
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
PackageLicenseConcluded: BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: <text>Safely add untrusted strings to HTML/XML markup.</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:markupsafe:2.1.1:*:*:*:*:*:*:*
##### 

PackageName: werkzeug
SPDXID: SPDXRef-Package-6-werkzeug
PackageVersion: 2.2.2
PrimaryPackagePurpose: LIBRARY
PackageSupplier: Person: Armin Ronacher ([email protected])
PackageDownloadLocation: https://pypi.org/project/Werkzeug/2.2.2
FilesAnalyzed: false
PackageLicenseDeclared: BSD-3-Clause
PackageLicenseConcluded: BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageSummary: <text>The comprehensive WSGI web application library.</text>
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:werkzeug:2.2.2:*:*:*:*:*:*:*
##### 

Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-flask
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-2-click
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-3-itsdangerous
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-4-jinja2
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-6-werkzeug
Relationship: SPDXRef-Package-4-jinja2 DEPENDS_ON SPDXRef-Package-5-markupsafe
Relationship: SPDXRef-Package-6-werkzeug DEPENDS_ON SPDXRef-Package-5-markupsafe

The following commands will generate a summary of the contents of the SBOM to the console.

sbom2doc --input flask.spdx 

╭──────────────╮
│ SBOM Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Item          ┃ Details                    ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ SBOM File     │ /root/Downloads/flask.spdx │
│ SBOM Type     │ spdx                       │
│ Version       │ SPDX-2.3                   │
│ Name          │ Python-flask               │
│ Creator       │ Tool:sbom4python-0.10.0    │
│ Created       │ 2023-08-17T20:28:31Z       │
│ Files         │ 0                          │
│ Packages      │ 6                          │
│ Relationships │ 7                          │
└───────────────┴────────────────────────────┘
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ Name         ┃ Version ┃ Type        ┃ Supplier                                     ┃ License      ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ flask        │ 2.2.2   │ APPLICATION │ Armin Ronacher ([email protected]) │ BSD-3-Clause │
│ click        │ 8.0.3   │ LIBRARY     │ Armin Ronacher ([email protected]) │ BSD-3-Clause │
│ itsdangerous │ 2.1.2   │ LIBRARY     │ Armin Ronacher ([email protected]) │ BSD-3-Clause │
│ jinja2       │ 3.0.2   │ LIBRARY     │ Armin Ronacher ([email protected]) │ BSD-3-Clause │
│ markupsafe   │ 2.1.1   │ LIBRARY     │ Armin Ronacher ([email protected]) │ BSD-3-Clause │
│ werkzeug     │ 2.2.2   │ LIBRARY     │ Armin Ronacher ([email protected]) │ BSD-3-Clause │
└──────────────┴─────────┴─────────────┴──────────────────────────────────────────────┴──────────────┘


┏━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┓
┃ Name         ┃ Version ┃ Ecosystem ┃ Download                                    ┃ Copyright   ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━┩
│ flask        │ 2.2.2   │ pypi      │ https://pypi.org/project/Flask/2.2.2        │ NOASSERTION │
│ click        │ 8.0.3   │ pypi      │ https://pypi.org/project/click/8.0.3        │ NOASSERTION │
│ itsdangerous │ 2.1.2   │ pypi      │ https://pypi.org/project/itsdangerous/2.1.2 │ NOASSERTION │
│ jinja2       │ 3.0.2   │ pypi      │ https://pypi.org/project/Jinja2/3.0.2       │ NOASSERTION │
│ markupsafe   │ 2.1.1   │ pypi      │ https://pypi.org/project/MarkupSafe/2.1.1   │ NOASSERTION │
│ werkzeug     │ 2.2.2   │ pypi      │ https://pypi.org/project/Werkzeug/2.2.2     │ NOASSERTION │
└──────────────┴─────────┴───────────┴─────────────────────────────────────────────┴─────────────┘
╭────────────────────────╮
│ Component Type Summary │
╰────────────────────────╯
┏━━━━━━━━━━━━━┳━━━━━━━┓
┃ Type        ┃ Count ┃
┡━━━━━━━━━━━━━╇━━━━━━━┩
│ APPLICATION │ 1     │
│ LIBRARY     │ 5     │
└─────────────┴───────┘
╭─────────────────╮
│ License Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━┓
┃ License      ┃ Count ┃
┡━━━━━━━━━━━━━━╇━━━━━━━┩
│ BSD-3-Clause │ 6     │
└──────────────┴───────┘
╭──────────────────╮
│ Supplier Summary │
╰──────────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┓
┃ Supplier                                      ┃ Count ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━┩
│ Armin Ronacher ([email protected])  │ 6     │
└───────────────────────────────────────────────┴───────┘
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┓
┃ Element                            ┃ Status ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━┩
│ All file information provided?     │ True   │
│ All package information provided?  │ True   │
│ Creator identified?                │ True   │
│ Creation time identified?          │ True   │
│ Dependency relationships provided? │ True   │
└────────────────────────────────────┴────────┘

NTIA conformant True

Licence

Licenced under the Apache 2.0 Licence.

Limitations

The tool has the following limitations

  • SBOMs in RDF (SPDX) and XML (SPDX and CycloneDX) formats are not supported.

  • Invalid SBOMs will result in unpredictable results.

Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

sbom2doc's People

Contributors

anthonyharrison avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

mofe23 anthonys01 georgkoester

sbom2doc's Issues

Missing dependency: requests

Hi,

After installation I have the following error:

$ sbom2doc.exe
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "C:/msys64/ucrt64/bin/sbom2doc.exe/__main__.py", line 4, in <module>
  File "C:/msys64/ucrt64/lib/python3.11/site-packages/sbom2doc/cli.py", line 11, in <module>
    import sbom2doc.generator as generator
  File "C:/msys64/ucrt64/lib/python3.11/site-packages/sbom2doc/generator.py", line 4, in <module>
    import requests
ModuleNotFoundError: No module named 'requests'

After installing requests, no error anymore.

Thanks,

Olivier

License download broken after adding Supplier Summary

The --include-license feature is currently broken due to reuse of the freq variable in generator.py.
Before 397ab4b this variable contained a map of licenses, but now it contains the suppliers. As a consequence, the license downloading code at the end of generator.py operates on incorrect input.

Here is a POC of a fix:

diff --git a/generator.py b/generator.py
index c9f3d6d..7cf088b 100644
--- a/generator.py
+++ b/generator.py
@@ -148,10 +148,10 @@ def generate_document(format, sbom_parser, filename, outfile, include_license):
     sbom_document.createtable(["License", "Count"], [25, 6])
     #
     # Create an empty dictionary
-    freq = {}
+    freqLicenses = {}
     for items in sorted(sbom_licenses):
-        freq[items] = sbom_licenses.count(items)
-    for key, value in freq.items():
+        freqLicenses[items] = sbom_licenses.count(items)
+    for key, value in freqLicenses.items():
         sbom_document.addrow([key, str(value)])
     sbom_document.showtable(widths=[10, 4])

@@ -189,7 +189,7 @@ def generate_document(format, sbom_parser, filename, outfile, include_license):
     if include_license:
         sbom_document.pagebreak()
         sbom_document.heading(1, "License Text")
-        for key, value in freq.items():
+        for key, value in freqLicenses.items():
             # Ignore undefined licenses or expressions
             if key == "NOASSERTION" or license_info.license_expression(key):
                 continue

By the way, thanks for this useful tool!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.