ws-sbom-generator

Release 23.1.1.3

WS SBOM Generator in SPDX format

Homepage PyPI Python

License
Other
Install
pip install ws-sbom-generator==23.1.1.3

Documentation

Logo

License CI Python 3.8 GitHub release

Mend SBOM Generator

This tool generates SBOM reports in either SPDX or CycloneDX formats, for specified projects.

The tool can be executed either via CLI or as a Docker container.

Note: This tool utilizes a forked package of spdx-tools.


SBOM Generator CLI

Supported Operating Systems

  • Linux (Bash): CentOS, Debian, Ubuntu, RedHat
  • Windows (PowerShell): 10, 2012, 2016

Prerequisites

  • Python 3.8 or later
  • Mend user with admin permissions

Note:
The specified user (-u, --userKey) must be associated with a group assigned as either Organization Administrators (for generating report for all projects in the organization) or Product Administrators. For the latter, --tokenType must be specified (see Command-Line Arguments).

Installation

  1. Install the PyPI package ws-sbom-generator

    pip install ws-sbom-generator

    Note: Depending on whether the package was installed as a root user or not, you need to make sure the package installation location was added to the $PATH environment variable.

  2. Update the creation info as needed in the resource/sbom_extra.json file:

    {
  "namespace": "http://CreatorWebsite/pathToSpdx/DocumentName-UUID",
  "org_email": "org@domain.com",
  "person": "First Last",
  "person_email": "first.last@domain.com"
}

Usage

ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --type $FORMAT --out $HOME/reports --extra resources/sbom_extra.json

Command-Line Arguments

Parameter Type Required Description
‑h, ‑‑help switch No Show help and exit
‑a, ‑‑wsUrl string Yes Mend server URL
‑u, ‑‑userKey string Yes Mend User Key
‑k, ‑‑token string Yes Mend API Key or Product token
‑y, ‑‑tokenType string No* [organization|product*] (default: organization)
‑t, ‑‑type string No* Report format [json|tv|rdf|xml|yaml|cdx*|all*] (default: tv)
‑s, ‑‑scope string No Product or Project token to generate the report(s) for. When specifying a Product token, one report will be generated for each project under that product. If not specified, one report will be generated for each project in your organization.
‑o, ‑‑out string No Output directory (default: $PWD)
‑on, ‑‑outfile string No* Output file name* (default: Mend {PROJECT_NAME} SBOM report-{FORMAT})
‑lt, ‑‑licensetext bool No Include full license text for all libraries* (default: False)
‑th, ‑‑threads int No Number of threads to run in parallel for report generation (default: 10)
‑e, ‑‑extra string No* Path to a json file containing the creation info to be included in the report (default: $PWD/resources/sbom_extra.json

Notes:
* Token type (--tokenType product) is required in case the specified userKey is associated with a group with Product Administrators permissions.
* Report type (--type) cdx will generate a JSON file in CycloneDX v1.4 format.
* Report type (--type) all will generate one file in each format for each specified project.
* Output file name (--outfile) is only supported for a single project scope.
* Full license texts will be taken by default from the SPDX License List. If a given license does not exist there, the tool will attempt to take it from Mend's database.
* By default, the tool will use the placeholders in the resource/sbom_extra.json file.

Execution Examples

Generating tv formatted SBOM report for a specific project

ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --scope $WS_PROJECTTOKEN --out $HOME/reports --extra sbom_extra.json

Generating tv formatted SBOM report for all projects of a specified product

ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --scope $WS_PRODUCTTOKEN --out $HOME/reports --extra sbom_extra.json

Generating json formatted SBOM report for all projects in the organization

ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --type json --out $HOME/reports

Generating json formatted SBOM report for all projects in the organization, including full license text

ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --type json --out $HOME/reports --licensetext True

Generating xml formatted SBOM report for a single project (executed by a product administrator)

ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_PRODUCTTOKEN --tokenType product --scope $WS_PROJECTTOKEN --type xml --out $HOME/reports --extra sbom_extra.json

Generating json formatted SBOM report for a single project, specifying file name

ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --scope $WS_PROJECTTOKEN --type json --out $HOME/reports --extra sbom_extra.json --outfile my-project-sbom.json

SBOM Generator Docker Container

Supported Operating Systems

  • Linux: CentOS, Debian, Ubuntu, RedHat
  • Windows: 10, 2012, 2016

Prerequisites

  • Docker version 20 or later
  • Mend user with admin permissions

Note:
The specified user (-u, --userKey) must be associated with a group assigned as either Organization Administrators (for generating report for all projects in the organization) or Product Administrators. For the latter, --tokenType must be specified (see Command-Line Arguments).

Installation

docker pull whitesourcetools/ws-sbom-generator:latest

Usage

docker run --name ws-sbom-generator \ 
  -v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom-generator/resources \ 
  -v $HOME/reports:/opt/ws-sbom-generator/sbom-generator/output \
  -e WS_URL=$WS_WSS_URL \
  -e WS_USER_KEY=$WS_USERKEY \ 
  -e WS_TOKEN=$WS_APIKEY \
  -e WS_REPORT_TYPE=<REPORT_TYPE> \
  whitesourcetools/ws-sbom-generator

Execution Examples

Running as organization administrator, generating json formatted SBOM reports for all projects, default extra args

docker run --name ws-sbom-generator \  
  -v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom_generator/resources \ 
  -v $HOME/reports:/opt/ws-sbom-generator/sbom_generator/output \
  -e WS_URL=$WS_WSS_URL \
  -e WS_USER_KEY=$WS_USERKEY \ 
  -e WS_TOKEN=$WS_APIKEY \
  -e WS_REPORT_TYPE=json
  whitesourcetools/ws-sbom-generator

Running as organization administrator, generating tv formatted SBOM report for a single project, default extra args

docker run --name ws-sbom-generator \  
  -v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom_generator/resources \
  -v $HOME/reports:/opt/ws-sbom-generator/sbom_generator/output \
  -e WS_URL=$WS_WSS_URL \
  -e WS_USER_KEY=$WS_USERKEY \
  -e WS_TOKEN=$WS_APIKEY \
  -e WS_SCOPE_TOKEN=<WS_PROJECT_TOKEN> \
  whitesourcetools/ws-sbom-generator

Running as a product administrator, generating rdf formatted SBOM report for a single project, default extra args

docker run --name ws-sbom-generator \  
  -v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom_generator/resources \
  -v $HOME/reports:/opt/ws-sbom-generator/sbom_generator/output \
  -e WS_URL=$WS_WSS_URL \
  -e WS_USER_KEY=$WS_USERKEY \
  -e WS_TOKEN=$WS_PRODUCTTOKEN \
  -e WS_TOKEN_TYPE=product
  -e WS_SCOPE_TOKEN=$WS_PROJECTTOKEN \
  whitesourcetools/ws-sbom-generator

Stats

Dependencies
3
Dependent packages
0
Dependent repositories
0
Total releases
63
Latest release
First release
Stars
30
Forks
7
Watchers
7
Contributors
9
Repository size
1.74 MB
SourceRank
10

Releases

23.1.1.3
23.1.1.2
23.1.1.1
22.12.2.1
22.12.1.2
22.12.1.1
22.11.30.1
22.9.1
22.8.4.1
22.8.4
See all 63 releases

Contributors

tamari-oz DimarrWS NatDal rammatzkvosky cosimocommisso mend-for-github-com[bot] Luke Brogan AlexRagen Ortal-GI


See all contributors

Login to resync this project