Skip to content

chains-project/sbom-files

BranchesTags

Repository files navigation

SBOMs

Long term storage of build provenance files / software bills of material (SBOM)

How are SBOM generated?

SLSA

SLSA is not a tool for generating an SBOM, but rather a set of requirements for the SBOM. Currently, the SBOM is generated by this action, which produces SBOM formatted as an In-toto attestation, which is the currently recommended format for an SBOM by SLSA.

There is a workflow called sbom.yml in Spoon that automatically generates the provenance files for Spoon project for every commit to INRIA/spoon:master.

Sonatype-Lift

  1. Go to sonatype lift console and click the "dependenices" tab.
  2. Click "Export CycloneDX" button to export the SBOM in JSON format.

Renovate

  1. Inspired from Renovate's "Detected dependecies".
  2. Run the following command and you will get the list of "Detected dependencies" in STDOUT and the log file. 
    renovate --token [REDACTED] --dry-run="extract"  --autodiscover --autodiscover-filter "<org_name>/<repo_name>" --log-file="renovate.log"
    One may use Renovate's npm package or docker image to the run the above command.
  3. See renovatebot/renovate#18258 (comment) for more information.

cdxgen

  1. Install cdxgen npm package. 
    sudo npm install -g @appthreat/cdxgen
  2. Run. 
    cdxgen -t java -o bom.cdxgen.json

It seems that is uses CycloneDX maven plugin under the hood.

Link to GitHub repository: https://github.com/AppThreat/cdxgen

CycloneDX maven plugin

  1. Execute the maven-plugin at the root of the maven project.
$ mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.3:makeAggregateBom
  1. The SBOM (bom.json and bom.xml) is written inside the target folder.

Link to GitHub repository: https://github.com/CycloneDX/cyclonedx-maven-plugin

jbom

  1. Ran Spoon as CLI command and ensured that it would take long to end.
  2. Quickly ran jbom on another terminal lise so:
$ java -jar jbom-1.2.jar -p <process id>

Link to GitHub repository: https://github.com/eclipse/jbom/

Highlight Automated Code Scan

  1. Download the tar ball from the link below.
  2. Run the following command from the HLCS directory.
java -jar HighlightAutomation.jar --workingDir  ~/chains/sbom-files/sorald/ --sourceDir ~/spoonlabs/sorald --skipUpload --technologies "Java"

Link to tool: https://doc.casthighlight.com/product-tutorials-third-party-tools/automated-code-scan-command-line/

The tools generates a lot of CSV files that can be uploaded to Highlight Platform (proprietary) to view the results.

FOSSA

  1. Click 'Start for Free' and then follow the steps.
  2. The report can be exported in SPDX format. However, only direct dependecies are included in the report in the free version.

fossa.png

Link to tool: https://fossa.com/

Meterian

  1. Download the jar from the link in this page - https://www.meterian.com/downloads/meterian-cli.jar.
  2. Run the following command in the root of your project.
$ java -jar /tmp/meterian-cli.jar
  1. It will ask one to authenticate because the final report it generated has limited access.

Link to tool: https://meterian.io/product/open-source-licence-compliance/

SCANOSS

  1. Install the tool.
$ pip3 install scanoss
  1. Run the tool.
$ scanoss-py scan <path-to-project-dir>

Link to tool: https://github.com/scanoss/scanoss.py

JFrog/build-info-go

  1. Download the executable from the GitHub page.
  2. Go to the root of the project and run:
$ bi mvn

Link to tool: https://github.com/jfrog/build-info-go

spdx-maven-plugin

  1. Run the following at the root of the maven project.
$ mvn org.spdx:spdx-maven-plugin:createSPDX

This plugin runs the tests of the maven project

Link to tool: https://github.com/spdx/spdx-maven-plugin

spdx-tools-java

  1. Download tool from the release page.

    Used version 1.1.3 for the report generation.

  2. Run the following command (listed in Generators): 
    $ java -jar tools-java-1.1.0-jar-with-dependencies.jar GenerateVerificationCode <project-dir>

Link to the tool: https://github.com/spdx/tools-java

microsoft-sbom-tool

  1. Download tool. 
    $ curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
$ chmod +x sbom-tool

    0.3.1 was used to generate report.

  2. Run the following command. 
    $ sbom-tool generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -ps <package supplier> -nsb <namespace uri base>
    @algomaster99 ran: 
    tools/microsoft-sbom-tool/sbom-tool generate -b /home/aman/chains/sbom-files/mybatis-3/microsoft-sbom-tool -bc . -pn mybatis -pv 3.5.11 -ps org.mybatis -nsb https://mybatis.org/mybatis-3/

spdx-sbom-generator

  1. Download tool from README.

    URL: https://github.com/spdx/spdx-sbom-generator/releases/download/v0.0.10/spdx-sbom-generator-v0.0.10-linux-amd64.tar.gz

  2. Go to project directory and run. 
    $ ./spdx-sbom-generator

Link to tool: https://github.com/opensbom-generator/spdx-sbom-generator

swid-tools

  1. Clone project. 
    $ git clone git@github.com:usnistgov/swid-tools.git
  2. Install project locally. Run the following at the root of the cloned project. 
    $ mvn clean install
  3. Create assembly.xml and modify pom.xml as documented here.

    maven plugin version: 0.6.1

  4. Run mvn package.
  5. The plugin creates SWID tags and modified jar file in the target directory.

Link to tool: https://github.com/usnistgov/swid-tools

ort

  1. Clone project and build. 
    $ git clone --recurse-submodules https://github.com/oss-review-toolkit/ort.git
$ cd ort
$./gradlew installDist
  2. Run analyzer 
    $ ../../tools/ort/cli/build/install/ort/bin/ort analyze -i . -o /home/aman/chains/sbom-files/mybatis-3/ort -f JSON
  3. Run scanner 
    $ ../../tools/ort/cli/build/install/ort/bin/ort scan -i /home/aman/chains/sbom-files/mybatis-3/ort/analyze/analyzer-result.json -o /home/aman/chains/sbom-files/mybatis-3/ort/scan/ --skip-excluded

    It uses scancode-toolkit to be installed first. Was not working for mybatis so I have not pushed the file to repo.

Link to tool: https://github.com/oss-review-toolkit/ort

scancode-toolkit

  1. Clone project and follow instructions here to install the tool. 
    $ git clone git@github.com:nexB/scancode-toolkit.git
  2. Activate the virtual environment where scancode is install after running ./scancode --help: 
    $ source venv/bin/activate
  3. Go to project directory. 
    $ scancode -clpeui -n 2 --json-pp /home/aman/chains/sbom-files/mybatis-3/scancode/scancode.json .

openrewrite

  1. Run maven plugin in the project. 
    $ mvn org.openrewrite.maven:rewrite-maven-plugin:4.39.0:cyclonedx

Link to tool: https://github.com/openrewrite/rewrite-maven-plugin

dep-scan

  1. Download tool. 
    curl -LO https://github.com/AppThreat/depscan-bin/releases/download/v3.5.3/depscan-linux-amd64
chmod +x depscan-linux-amd64
  2. Go to root of the project and run the executable. 
    ./depscan-linux-amd64
  3. The results are output to <project-dir>/reports. We only require sbom-java.json out of them.

Link to tool: https://github.com/AppThreat/dep-scan

bom

  1. Download tool from release page.

    0.4.1

  2. Run at root directory. 
    $ bom generate -n http://example.com/ . -o sbom.spdx

    Not sure what this -n is.

  3. The above commands output a text file so we convert it into JSON.
  4. We use this package - https://pypi.org/project/spdx-tools/. 
    $ pyspdxtools_convertor -i sbom.spdx -o sbom.spdx.json -t json
  5. sbom.spdx.json is the output we need.

Link to tool: https://github.com/kubernetes-sigs/bom

About

Long term storage of software bills of materials (sbom) https://arxiv.org/pdf/2303.11102.pdf

Resources

Readme
Activity
Custom properties

Stars

6 stars

Watchers

5 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages