Sign in Sign up
Explore Enterprise Education Gitee Premium Gitee AI
Open Source > DevOps/Network > DevOps &&
Scan WeChat QR to Pay
Cancel
Complete
Watch
Unwatch Watching Releases Only Ignoring
18 Star 155 Fork 47

GVP京东开源/sbom-tool

Code Issues 0 Pull Requests 0 Wiki Insights Pipelines
Service
Create your Gitee Account
Explore and code with more than 12 million developers,Free private repositories !:)
Sign up
Clone or Download
Branches 1
Tags 1
contribute
Sync branch
Create Pull Request
known more
See difference Through Pull Request Sync
Sync branch
Through Pull Request Sync
A Pull Request will be created to the current
branch and will be merged in to complete the sync
Cancel
Notice: Creating folder will generate an empty file .keep, because not support in Git
.gitee
.workflow
build
cmd
docs
pkg
vendor
.gitignore
.goreleaser.yml
LICENSE
Makefile
NOTICE
README.md
README_zh.md
go.mod
go.sum
Loading...
README
MulanPSL-2.0

SBOM-TOOL

English | 简体中文

SBOM-TOOL is a ctl tool that generates software bill of materials (SBOM) for software projects through source code warehouse, code fingerprint, construction environment, artifact information, artifact content, dependency construction and other dimensional information.

Feature

Information collection

  • Collect source code engineering information, including warehouse address, version information, etc.
  • Collect and generate code fingerprints
  • Collecting engineering construction depends on environmental information
  • Collect the dependent components built by the project
  • Collect the final artifact package information
  • Collect artifact content information, including file name type, check code, etc.

SBOM document

  • Assemble SBOM documents
  • Standard format conversion,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats
  • Canonical format check,support domestic XSPDX, SPDX and other specifications, support JSON, TagValue and other formats

Code fingerprint generation ability

language Is it supported
C/C++ yes
Java yes
C# yes
Dart yes
Golang yes
Javascript yes
Objective-C yes
Php yes
Python yes
Ruby yes
Rust yes
Swift yes
Lua yes

Dependent packet scanning capability

Configuration file parsing and binary package parsing related to the following programming languages are now supported, and more programming languages will be supported step by step.

Package Type Package Manager Parsing file support dependency graph
maven Maven
  • pom.xml
  • *.jar
  • *.war
  • [graph]maven-dependency-tree.txt(mvn dependency:tree -DoutputFile=maven-dependency-tree.txt)
 yes
maven Gradle
  • *.gradle
  • .gradle.lockfile
  • [graph]gradle-dependency-tree.txt(gradlew gradle-baseline-java:dependencies > gradle-dependency-tree.txt)
 yes
conan Conan
  • conanfile.txt
  • conan.lock
  • [graph]conan-graph-info.json(conan graph info -f json > conan-graph-info.json)
 yes
npm NPM
  • package.json
  • package-lock.json
 no
npm Yarn
  • [graph]yarn.lock
 yes
npm PNPM
  • [graph]pnpm.lock
 yes
golang Go Module
  • go.mod
  • Go Binary file
  • [graph]go-mod-graph.txt(go mod graph > go-mod-graph.txt)
yes
golang Glide
  • glide.yml
  • glide.yaml
 no
golang GoDep
  • Godeps.json
no
golang Dep
  • Gopkg.toml
no
golang GVT
  • */vendor/manifest
 no
pypi PIP
  • Pipfile.lock
  • *dist-info/METADATA
  • PKG-INFO
  • *requirements*.txt
  • setup.py
  • [graph]pipenv-graph.txt(pipenv graph > pipenv-graph.txt)
 yes
pypi Poetry
  • [graph]poetry.lock
 yes
conda Conda
  • environment.yml
  • environment.yaml
  • package-list.txt
 no
composer Composer
  • composer.json
  • composer.lock
 no
cargo Cargo
  • Cargo.toml
  • [graph]Cargo.lock
  • Rust Binary file
 yes
carthage Carthage
  • Cartfile
  • Cartfile.resolved
 no
swift SwiftPM
  • Package.swift
 no
cocoapods Cocoapods
  • Podfile.lock
  • Podfile
  • *.podspec
 yes
gem Gem
  • [graph]Gemfile.lock
  • Gemfile
  • *.gemspec
 yes
nuget NuGet
  • [graph]*.deps.json
  • *.csproj
  • *.vbproj
  • *.fsproj
  • *.vcproj
  • *.nuget.dgspec.json
  • *.nuspec
  • packages.json
  • packages.lock.json
yes
pub Pub
  • [graph]pub-deps.json(dart pub deps --json > pub-deps.json)
  • pubspec.lock
  • pubspec.yaml
 yes
rpm RPM
  • *.spec
 no
deb DEB
  • *.deb
  • *.control
 no
lua LuaRocks
  • *.rockspec
 no
bower Bower
  • *.spec
 no

Architecture

SBOM-TOOL architecture

Installation

  1. Download source code compilation(go 1.18 or above is required) 
    git clone git@gitee.com:JD-opensource/sbom-tool.git
cd sbom-tool
make
    Generate program binaries for various system architectures by default
    • Linux X86_64:sbom-tool-linux-amd64
    • Linux arm64:sbom-tool-linux-arm64
    • Windows X86_64:sbom-tool-windows-amd64.exe
    • Windows arm64:sbom-tool-windows-arm64.exe
    • MacOS amd64: sbom-tool-darwin-amd64
    • MacOS arm64: sbom-tool-darwin-arm64

Or install via go install

   go install gitee.com/JD-opensource/sbom-tool/cmd/sbom-tool@latest

Or install via downloading the binary: SBOM-TOOL Releases

Subcommands

subcommand function
help Help about any command
artifact collect artifact information
assembly assembly sbom document from document segments
completion Generate the autocompletion script for the specified shell
convert convert sbom document format
env build environment info
fingerprint generate code fingerprint
generate generate sbom document
package collect package dependencies
source collect source code information
validate validate sbom document format
info get tool introduction information
modify modify sbom document properties

Parameter description

Parameters Short parameter describe Use exampl
--log-level log level (debuginfowarnerror) --log-level info
--log-path log output path (default "$home/sbom-tool/sbom-tool.log") --log-path /tmp/sbom.log
--quiet -q no console output --quiet -q
--ignore-dirs dirs to ignore, skip all dot dirs, split by comma. sample: node_modules,logs --ignore-dirs log,logs
--language -l programming language (Currently supported:javacpp)(Default “*”) --language java -l cpp
--parallelism -m number of parallelism(Default 8) --parallelism 4 -m 9
--output -o output file,The result file is produced in the current directory by default. --output /tmp/sbom.json
--src -s project source directory(use project root if empty) (default ".") --src /tmp/sbomtool/src/
--path -p Specify the project project home directory; the assemble subcommand is used to specify the temporary document path for each phase --path /tmp/sbomtool/
--dist -d distribution directory (default ".") --dist /tmp/sbomtool/bin/
--format -f Specify SBOM document format(Currently supported:xspdx-jsonspdx-jsonspdx-tagvalue )(Default spdx-json) --format xspdx-json -f spdx-json
--input -i Specify the SBOM document as input --input /tmp/sbom.jsom

SBOM Document specification and format

specification format SBOM document format status
XSPDX JSON xspdx-json Supported
SPDX JSON spdx-json Supported
SPDX TagValue spdx-tagvalue Supported

User guide

Generate code fingerprints only based on the source code path

sbom-tool fingerprint -m 4 -s ${src_path}  -o fingerprint.json --ignore-dirs .git

Generate an SBOM document and specify the format

sbom-tool generate -m 4 -p ${project_path} -s ${src_path} -d ${dist_path}  -o sbom.spdx.json -f spdx-json --ignore-dirs .git  -n ${name} -v ${version} -u ${supplier} -b ${namespace}

Get tool introduction information

sbom-tool info

See document for details.

Development guide

See for details Development guide documentation

Problem feedback & contact us

If you encounter problems in use, you are welcome to submit ISSUE to us.

How to Contribute

SBOM-TOOL is a open source software component analysis tool, look forward to your contribution.

License

This project is licensed under MulanPSL2 - see the LICENSE file for details.

木兰宽松许可证, 第2版 木兰宽松许可证, 第2版 2020年1月 http://license.coscl.org.cn/MulanPSL2 您对“软件”的复制、使用、修改及分发受木兰宽松许可证,第2版(“本许可证”)的如下条款的约束: 0. 定义 “软件”是指由“贡献”构成的许可在“本许可证”下的程序和相关文档的集合。 “贡献”是指由任一“贡献者”许可在“本许可证”下的受版权法保护的作品。 “贡献者”是指将受版权法保护的作品许可在“本许可证”下的自然人或“法人实体”。 “法人实体”是指提交贡献的机构及其“关联实体”。 “关联实体”是指,对“本许可证”下的行为方而言,控制、受控制或与其共同受控制的机构,此处的控制是指有受控方或共同受控方至少50%直接或间接的投票权、资金或其他有价证券。 1. 授予版权许可 每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的版权许可,您可以复制、使用、修改、分发其“贡献”,不论修改与否。 2. 授予专利许可 每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的(根据本条规定撤销除外)专利许可,供您制造、委托制造、使用、许诺销售、销售、进口其“贡献”或以其他方式转移其“贡献”。前述专利许可仅限于“贡献者”现在或将来拥有或控制的其“贡献”本身或其“贡献”与许可“贡献”时的“软件”结合而将必然会侵犯的专利权利要求,不包括对“贡献”的修改或包含“贡献”的其他结合。如果您或您的“关联实体”直接或间接地,就“软件”或其中的“贡献”对任何人发起专利侵权诉讼(包括反诉或交叉诉讼)或其他专利维权行动,指控其侵犯专利权,则“本许可证”授予您对“软件”的专利许可自您提起诉讼或发起维权行动之日终止。 3. 无商标许可 “本许可证”不提供对“贡献者”的商品名称、商标、服务标志或产品名称的商标许可,但您为满足第4条规定的声明义务而必须使用除外。 4. 分发限制 您可以在任何媒介中将“软件”以源程序形式或可执行形式重新分发,不论修改与否,但您必须向接收者提供“本许可证”的副本,并保留“软件”中的版权、商标、专利及免责声明。 5. 免责声明与责任限制 “软件”及其中的“贡献”在提供时不带任何明示或默示的担保。在任何情况下,“贡献者”或版权所有者不对任何人因使用“软件”或其中的“贡献”而引发的任何直接或间接损失承担责任,不论因何种原因导致或者基于何种法律理论,即使其曾被建议有此种损失的可能性。 6. 语言 “本许可证”以中英文双语表述,中英文版本具有同等法律效力。如果中英文版本存在任何冲突不一致,以中文版为准。 条款结束 如何将木兰宽松许可证,第2版,应用到您的软件 如果您希望将木兰宽松许可证,第2版,应用到您的新软件,为了方便接收者查阅,建议您完成如下三步: 1, 请您补充如下声明中的空白,包括软件名、软件的首次发表年份以及您作为版权人的名字; 2, 请您在软件包的一级目录下创建以“LICENSE”为名的文件,将整个许可证文本放入该文件中; 3, 请将如下声明文本放入每个源文件的头部注释中。 Copyright (c) [Year] [name of copyright holder] [Software Name] is licensed under Mulan PSL v2. You can use this software according to the terms and conditions of the Mulan PSL v2. You may obtain a copy of Mulan PSL v2 at: http://license.coscl.org.cn/MulanPSL2 THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. See the Mulan PSL v2 for more details. Mulan Permissive Software License,Version 2 Mulan Permissive Software License,Version 2 (Mulan PSL v2) January 2020 http://license.coscl.org.cn/MulanPSL2 Your reproduction, use, modification and distribution of the Software shall be subject to Mulan PSL v2 (this License) with the following terms and conditions: 0. Definition Software means the program and related documents which are licensed under this License and comprise all Contribution(s). Contribution means the copyrightable work licensed by a particular Contributor under this License. Contributor means the Individual or Legal Entity who licenses its copyrightable work under this License. Legal Entity means the entity making a Contribution and all its Affiliates. Affiliates means entities that control, are controlled by, or are under common control with the acting entity under this License, ‘control’ means direct or indirect ownership of at least fifty percent (50%) of the voting power, capital or other securities of controlled or commonly controlled entity. 1. Grant of Copyright License Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable copyright license to reproduce, use, modify, or distribute its Contribution, with modification or not. 2. Grant of Patent License Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable (except for revocation under this Section) patent license to make, have made, use, offer for sale, sell, import or otherwise transfer its Contribution, where such patent license is only limited to the patent claims owned or controlled by such Contributor now or in future which will be necessarily infringed by its Contribution alone, or by combination of the Contribution with the Software to which the Contribution was contributed. The patent license shall not apply to any modification of the Contribution, and any other combination which includes the Contribution. If you or your Affiliates directly or indirectly institute patent litigation (including a cross claim or counterclaim in a litigation) or other patent enforcement activities against any individual or entity by alleging that the Software or any Contribution in it infringes patents, then any patent license granted to you under this License for the Software shall terminate as of the date such litigation or activity is filed or taken. 3. No Trademark License No trademark license is granted to use the trade names, trademarks, service marks, or product names of Contributor, except as required to fulfill notice requirements in Section 4. 4. Distribution Restriction You may distribute the Software in any medium with or without modification, whether in source or executable forms, provided that you provide recipients with a copy of this License and retain copyright, patent, trademark and disclaimer statements in the Software. 5. Disclaimer of Warranty and Limitation of Liability THE SOFTWARE AND CONTRIBUTION IN IT ARE PROVIDED WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL ANY CONTRIBUTOR OR COPYRIGHT HOLDER BE LIABLE TO YOU FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO ANY DIRECT, OR INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING FROM YOUR USE OR INABILITY TO USE THE SOFTWARE OR THE CONTRIBUTION IN IT, NO MATTER HOW IT’S CAUSED OR BASED ON WHICH LEGAL THEORY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 6. Language THIS LICENSE IS WRITTEN IN BOTH CHINESE AND ENGLISH, AND THE CHINESE VERSION AND ENGLISH VERSION SHALL HAVE THE SAME LEGAL EFFECT. IN THE CASE OF DIVERGENCE BETWEEN THE CHINESE AND ENGLISH VERSIONS, THE CHINESE VERSION SHALL PREVAIL. END OF THE TERMS AND CONDITIONS How to Apply the Mulan Permissive Software License,Version 2 (Mulan PSL v2) to Your Software To apply the Mulan PSL v2 to your work, for easy identification by recipients, you are suggested to complete following three steps: i Fill in the blanks in following statement, including insert your software name, the year of the first publication of your software, and your name identified as the copyright owner; ii Create a file named “LICENSE” which contains the whole context of this License in the first directory of your software package; iii Attach the statement to the appropriate annotated syntax at the beginning of each source file. Copyright (c) [Year] [name of copyright holder] [Software Name] is licensed under Mulan PSL v2. You can use this software according to the terms and conditions of the Mulan PSL v2. You may obtain a copy of Mulan PSL v2 at: http://license.coscl.org.cn/MulanPSL2 THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. See the Mulan PSL v2 for more details.
Starred
155
Star
155
Fork
47

About

SBOM-TOOL 是通过源码仓库、代码指纹、构建环境、制品信息、制品内容、依赖组件等多种维度信息,为软件项目生成软件物料清单(SBOM)的一款CLI工具。 expand collapse
SBOM
No labels
Go and 6 more languages
Go
98.6%
Ruby
0.5%
Makefile
0.4%
Swift
0.3%
Lua
0.1%
Other
0.1%
MulanPSL-2.0
Use MulanPSL-2.0
Cancel

Releases (1)

All
v0.10

The Open Source Evaluation Index is derived from the OSS Compass evaluation system, which evaluates projects around the following three dimensions

1. Open source ecosystem

  • Productivity: To evaluate the ability of open-source projects to output software artifacts and open-source value.
  • Innovation: Used to evaluate the degree of diversity of open source software and its ecosystem.
  • Robustness: Used to evaluate the ability of open-source projects to resist internal and external interference and self recover in the face of changing development environments.

2. Collaboration, People, Software

  • Collaboration: represents the degree and depth of collaboration in open source development behavior.
  • Observe the influence of core personnel in open source projects, and examine the evaluations of users and developers on open source projects from a third-party perspective.
  • Software: Evaluate the value of products exported from open-source projects and their ultimate destination. It is also a concrete manifestation of "open source software", one of the oldest mainstream directions in open source evaluation.

3. Evaluation model

    Based on the dimensions of "open source ecosystem" and "collaboration, people, and software", identify quantifiable indicators directly or indirectly related to this goal, quantitatively evaluate the health and ecology of open source projects, and ultimately form an open source evaluation index.

Contributors

All

Activities

Load More
can not load any more
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/JD-opensource/sbom-tool.git
git@gitee.com:JD-opensource/sbom-tool.git
JD-opensource
sbom-tool
sbom-tool
master
Going to Help Center

Search

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
Comment
Repository Report
Back to the top