Giter Site home page Giter Site logo

interlynk-io / sbomex Goto Github PK

View Code? Open in Web Editor NEW
11.0 3.0 1.0 369 KB

Find & pull public SBOMs

Home Page: https://sbombenchmark.dev/

License: Other

Makefile 9.81% Go 87.48% Dockerfile 2.71%
go golang sbom sbom-distribution sbom-repository sbom-tool sbom-examples sbom-samples

sbomex's Introduction

sbomex: SBOM Explorer

Go Reference Go Report Card

sbomex is a command line utility to help query and pull from Interlynk's public SBOM repository. The tool is intended to help familiarize with the specifications and formats of common SBOM standards and the quality of produced SBOMs (See sbomqs - SBOM Quality Score for how the score is computed).

The underlying repository is updated periodically with SBOMs from a variety of sources built with many tools.

sbomex search : Search repository for matching SBOMs

search commands finds SBOMs in the repository that matches given filtering criteria (specification, format or tool name)

sbomex search --format json --spec cdx --tool trivy --target '%centos%7' --limit 3
  ID  TARGET                 QUALITY  TYPE      CREATOR
  14  centos:centos7.9.2009  7.38     cdx-json  trivy-0.36.1
  23  centos:centos7         7.38     cdx-json  trivy-0.36.1
  32  centos:7.9.2009        7.38     cdx-json  trivy-0.36.1

sbomex pull : Downloads specified SBOM from the repository and prints to the screen

sbomex pull --id 23
{
   "SPDXID": "SPDXRef-DOCUMENT",
   "creationInfo": {
   	"created": "2023-03-01T01:32:02.939561Z",
   	"creators": [
   		"Tool: trivy",
   		"Organization: aquasecurity"
   	]
   },
   "dataLicense": "CC0-1.0",
...

Using containerized sbomex

docker run ghcr.io/interlynk-io/sbomex [search|pull] [options]

Example

docker run ghcr.io/interlynk-io/sbomex:latest search --format json --spec cdx --tool trivy --target '%box%' --limit 3
Unable to find image 'ghcr.io/interlynk-io/sbomex:latest' locally
latest: Pulling from interlynk-io/sbomex
bc89d6624a71: Already exists
bacb9c1935ff: Already exists
Digest: sha256:a00682b085fd21b7f071245a4d62d4825a07d9e783a8dfcda6b1f30f6a49514c
Status: Downloaded newer image for ghcr.io/interlynk-io/sbomex:latest
downloading db 100% |███████████████████████████| (89/89 MB, 5.4 MB/s)

A new version of sbomex is available v0.0.6.

  ID   TARGET          QUALITY  TYPE      CREATOR
  95   busybox:latest  3.25     cdx-json  trivy-0.36.1
  104  busybox:uclibc  3.25     cdx-json  trivy-0.36.1
  113  busybox:musl    3.25     cdx-json  trivy-0.36.1

SBOM Card

SBOMCard

Installation

Using Prebuilt binaries

https://github.com/interlynk-io/sbomex/releases

Using Homebrew

brew tap interlynk-io/interlynk
brew install sbomex

Using Go install

go install github.com/interlynk-io/sbomex@latest

Using repo

This approach invovles cloning the repo and building it.

  1. Clone the repo git clone [email protected]:interlynk-io/sbomex.git
  2. cd into sbomex folder
  3. make build
  4. To test if the build was successful run the following command ./build/sbomex version

Contributions

We look forward to your contributions, below are a few guidelines on how to submit them

  • Fork the repo
  • Create your feature/bug branch (git checkout -b feature/new-feature)
  • Commit your changes (git commit -am "awesome new feature")
  • Push your changes (git push origin feature/new-feature)
  • Create a new pull-request

Other SBOM Open Source tools

  • SBOM Assembler - A tool to compose a single SBOM by combining other (part) SBOMs
  • SBOM Quality Score - A tool for evaluating the quality and completeness of SBOMs
  • SBOM Search Tool - A tool to grep style semantic search in SBOMs
  • SBOM Explorer - A tool for discovering and downloading SBOM from a public repository

Contact

We appreciate all feedback. The best ways to get in touch with us:

Stargazers

If you like this project, please support us by starring it.

Stargazers

sbomex's People

Contributors

kchetans avatar riteshnoronha avatar surendrapathak avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

kchetans

sbomex's Issues

bom-v0.4.1 SBOMs don't contain distro information for Debian?

Appreciate this is more of a problem with the upstream tool, but I wanted to flag the data quality aspect here.

Here's an example of a Debian SBOM created using bom-v0.4.1:

sbomex pull --id 442

This contains references like:

pkg:deb/debian/[email protected]?arch=s390x

From the purl spec:

There is no default package repository: this should be implied either from the distro qualifiers key or using a base url as a repository_url qualifiers key.

Basically the purl is incomplete. Without the distro information the purl here is ambiguous. I'd argue based on the spec it's technically an invalid purl, but the spec as written is a bit hard to parse. But whether or not it's invalid, it's not specific without the distro information.

Update help description for the fetch command

build/sbomex fetch --help

downloads specified SBOM from the repository and prints to the screen

Usage:
sbomex fetch [flags]

Flags:
[Remove this one for now] --filter string Filter SBOM based on conditions provided
-h, --help help for fetch
--id int Fetch SBOM based on the input Id

Update help description for the search command

build/sbomex fetch --help
finds SBOM in the repository that matches the filtering criteria

Usage:
sbomex search [flags]

Flags:
--format string SBOM format options json/xml/tv
-h, --help help for search
--limit int max number of search results to print (default 25)
--spec string SBOM Specification options spdx/cdx
--tool string SBOM creator tool name (e.g. syft, trivy, bom)

Update help description for the tool

[Text marked in bold below must be added to the help]

Text:
sbomex help

SBOM Explorer (sbomex) is a command line utility to help query and fetch Interlynk's public SBOM repository. The tool is intended to help familiarize with the specifications and formats of common SBOM standards and the quality of produced SBOMs (See sbomqs). The underlying repository is updated periodically with SBOMs from a variety of sources built with many tools

Usage:
sbomex [command]

Available Commands:
completion Generate the autocompletion script for the specified shell
fetch downloads specified SBOM from the repository and prints to the screen
help Help about any command
search finds SBOM in the repository that matches the filtering criteria

Flags:
-h, --help help for sbomex
-t, --toggle Help message for toggle

Use "sbomex [command] --help" for more information about a command.

Invalid spec/format values have usability issues

The error message is always "invalid spec." It should be called out specifically.

Error messages:

  1. spec options are spdx or cdx
  2. format options are xml , json or tv (for tag-value)

Screenshot 2023-03-09 at 10 40 18 PM

Example of better error handling below -

  1. Shows the error string
  2. Prints help message
sbomqs score ~/Downloads/09-07-2022.csv --reportFormat basic2
Error: report format options are basic or detailed
Usage:
  sbomqs score [flags]

Flags:
      --category string       scoring category
      --dirpath string        sbom dir path
      --filepath string       sbom file path
  -h, --help                  help for score
      --reportFormat string   reporting format basic/detailed/json

Change fetch command to pull command

Change the fetch command to pull command to match related services. Here are the changes:

  1. command name in the help and description changed as follows

build/sbomex --help

....
fetch Downloads specified SBOM from the repository and prints to the screen
pull Pulls specified SBOM from the repository and prints to the screen

  1. build/sbomex pull --help
    Pulls specified SBOM from the repository and prints to the screen

Usage:
sbomex pull [flags]

Flags:
[Remove this one for now] --filter string Filter SBOM based on conditions provided
-h, --help help for pull
--id int Pull SBOM based on the input Id

  1. Update README.md - @surendrapathak is on this.

Download Latest DB

Add support to download latest sbom db.

  • Check if .interlynk-io/sbomex/sqlite3.db exists
  • NOT then create all directories
  • Download latest file from github-repo, decide latest file logic
  • Download file and save to 1
  • Open DB

Input validations for --id field

Please check input validations for --id fields.

./sbomex fetch --id -1
./sbomex fetch --id 12312312312321

all return bad data.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.