# csbom cli tool
This is a cli tool that parses an SBOM outputted by Scribe Security valint tool, formatted as CycloneDX, and creates a csv file containing the following.
### Installation
**Notice:** the tool is still in development, therefore it is suggested not to install it directly to your PATH. Instead, you could create a virtual python environment using python's [virtualenv](https://virtualenv.pypa.io/en/latest/installation.html) tool.
With this tool, you can create an environment with the command `virtualenv <env_name>`. virtualenv will create a directory in your current directory named `<env_name>`.
To activate your environment, on Linux/Mac you can run `source <env_name>/bin/activate` and on windows, `.\env_name\Scripts\activate`
To exit the environment, run `deactivate` and your terminal should go back to normal.
While in the venv, do this to install (this way, the tool will only be installed in the virtual environment):
Using the python package manager, run
```
pip install csbom==1.0.3
```
Example of installing and running csbom in a virtual environment:
```shell
# Create a virtual environment named `venv`
$ virtualenv venv
created virtual environment CPython3.10.10.final.0-64 in 159ms
creator CPython3Posix(dest=<dest_path>, clear=False, no_vcs_ignore=False, global=False)
seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=<app_dir> Application Support/virtualenv)
added seed packages: pip==23.2.1, setuptools==68.0.0, wheel==0.41.0
activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
# Activate the virtual environment
$ source venv/bin/activate
# Install csbom tool
(venv) $ pip install csbom==1.0.3
Collecting csbom==1.0.3
Obtaining dependency information for csbom==1.0.3 from https://files.pythonhosted.org/packages/9f/17/0350e4e05ed2a2adfa349a0da074e46f65f0a9d66ddecc485541eb78f799/csbom-1.0.1-py3-none-any.whl.metadata
Downloading csbom-1.0.1-py3-none-any.whl.metadata (5.6 kB)
Collecting click>=7.1.2 (from csbom==1.0.3)
Obtaining dependency information for click>=7.1.2 from https://files.pythonhosted.org/packages/00/2e/d53fa4befbf2cfa713304affc7ca780ce4fc1fd8710527771b58311a3229/click-8.1.7-py3-none-any.whl.metadata
Downloading click-8.1.7-py3-none-any.whl.metadata (3.0 kB)
Downloading csbom-1.0.3-py3-none-any.whl (10 kB)
Downloading click-8.1.7-py3-none-any.whl (97 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 97.9/97.9 kB 3.7 MB/s eta 0:00:00
Installing collected packages: click, csbom
Successfully installed click-8.1.7 csbom-1.0.3
# Now, you can run csbom in your virtual environment!
(venv) $ which csbom
.../venv/bin/csbom
# Using the csbom tool
(venv) $ csbom dep2table bom.json -o analysis.csv
Dependency table successfully generated at `analysis.csv`!
# To exit the virtual environment
(venv) $ deactivate
# Notice that the (venv) disappears after calling deactivate
$ exit
```
The tool can still be installed and run normally without a virtual environment, this is just an example for how to install it exclusively in a virtual environment.
### Usage & Explanations
`csbom CMD [OPTIONS] ARG`
**General Options**: \
--help: display help information \
-o (--output): Choose output filename (default `dep/file/commit-analysis.csv`, depending on command) \
-a (--append-to): Optional, if present, csbom will append the output to the already existing csv specified \
**Commands**: \
dep2table: Given an SBOM generated with the '--components files' flag, output a table of important info, \
file2table: Given an SBOM as the argument, outputs a table of components of type file, \
git2table: Given an SBOM generated from a Git repo (with --components commits), outputs a table with all commit information, \
version: displays current version
**file2table** \
This command takes the SBOM and generates a CSV with 5 columns,
`bomref`, `name`, `hash`, `mimetime`, `mode`, and `last_commit`
Each row contains an entry from the `components` array in the SBOM file with the corresponding information. If a component does not contain an entry for any of these 5 categories, it will be marked as None
**dep2table** \
This command creates a CSV table of depender components mapped to dependee components, with information of `name`, `type`, `purl`, `hashes`, and `group` for each component.
**git2table** \
This command creates a CSV table of git commits with 6 columns, `bomref`, `type` (which should always be commit), `name`, `commit-author`, `commit-message`, and `commit-timestamp`, for each commit in the SBOM.
**version**
displays the current version information
Raw data
{
"_id": null,
"home_page": "https://github.com/eyalarkin/csbom/tree/main",
"name": "csbom",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "",
"keywords": "",
"author": "Eyal Arkin",
"author_email": "eyal@scribesecurity.com",
"download_url": "",
"platform": null,
"description": "# csbom cli tool\n\nThis is a cli tool that parses an SBOM outputted by Scribe Security valint tool, formatted as CycloneDX, and creates a csv file containing the following.\n\n### Installation\n\n**Notice:** the tool is still in development, therefore it is suggested not to install it directly to your PATH. Instead, you could create a virtual python environment using python's [virtualenv](https://virtualenv.pypa.io/en/latest/installation.html) tool.\n\nWith this tool, you can create an environment with the command `virtualenv <env_name>`. virtualenv will create a directory in your current directory named `<env_name>`.\n\nTo activate your environment, on Linux/Mac you can run `source <env_name>/bin/activate` and on windows, `.\\env_name\\Scripts\\activate`\n\nTo exit the environment, run `deactivate` and your terminal should go back to normal.\n\nWhile in the venv, do this to install (this way, the tool will only be installed in the virtual environment):\n\nUsing the python package manager, run\n```\npip install csbom==1.0.3\n```\n\nExample of installing and running csbom in a virtual environment:\n```shell\n# Create a virtual environment named `venv`\n$ virtualenv venv\ncreated virtual environment CPython3.10.10.final.0-64 in 159ms\n creator CPython3Posix(dest=<dest_path>, clear=False, no_vcs_ignore=False, global=False)\n seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=<app_dir> Application Support/virtualenv)\n added seed packages: pip==23.2.1, setuptools==68.0.0, wheel==0.41.0\n activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator\n\n# Activate the virtual environment\n$ source venv/bin/activate\n\n# Install csbom tool\n(venv) $ pip install csbom==1.0.3\nCollecting csbom==1.0.3\n Obtaining dependency information for csbom==1.0.3 from https://files.pythonhosted.org/packages/9f/17/0350e4e05ed2a2adfa349a0da074e46f65f0a9d66ddecc485541eb78f799/csbom-1.0.1-py3-none-any.whl.metadata\n Downloading csbom-1.0.1-py3-none-any.whl.metadata (5.6 kB)\nCollecting click>=7.1.2 (from csbom==1.0.3)\n Obtaining dependency information for click>=7.1.2 from https://files.pythonhosted.org/packages/00/2e/d53fa4befbf2cfa713304affc7ca780ce4fc1fd8710527771b58311a3229/click-8.1.7-py3-none-any.whl.metadata\n Downloading click-8.1.7-py3-none-any.whl.metadata (3.0 kB)\nDownloading csbom-1.0.3-py3-none-any.whl (10 kB)\nDownloading click-8.1.7-py3-none-any.whl (97 kB)\n \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501 97.9/97.9 kB 3.7 MB/s eta 0:00:00\nInstalling collected packages: click, csbom\nSuccessfully installed click-8.1.7 csbom-1.0.3\n\n# Now, you can run csbom in your virtual environment!\n(venv) $ which csbom\n.../venv/bin/csbom\n\n# Using the csbom tool\n(venv) $ csbom dep2table bom.json -o analysis.csv\nDependency table successfully generated at `analysis.csv`!\n\n# To exit the virtual environment\n(venv) $ deactivate\n\n# Notice that the (venv) disappears after calling deactivate\n$ exit\n\n```\n\nThe tool can still be installed and run normally without a virtual environment, this is just an example for how to install it exclusively in a virtual environment.\n\n### Usage & Explanations\n\n`csbom CMD [OPTIONS] ARG`\n\n**General Options**: \\\n--help: display help information \\\n-o (--output): Choose output filename (default `dep/file/commit-analysis.csv`, depending on command) \\\n-a (--append-to): Optional, if present, csbom will append the output to the already existing csv specified \\\n\n**Commands**: \\\ndep2table: Given an SBOM generated with the '--components files' flag, output a table of important info, \\\nfile2table: Given an SBOM as the argument, outputs a table of components of type file, \\\ngit2table: Given an SBOM generated from a Git repo (with --components commits), outputs a table with all commit information, \\\nversion: displays current version\n\n**file2table** \\\nThis command takes the SBOM and generates a CSV with 5 columns,\n`bomref`, `name`, `hash`, `mimetime`, `mode`, and `last_commit`\nEach row contains an entry from the `components` array in the SBOM file with the corresponding information. If a component does not contain an entry for any of these 5 categories, it will be marked as None\n\n**dep2table** \\\nThis command creates a CSV table of depender components mapped to dependee components, with information of `name`, `type`, `purl`, `hashes`, and `group` for each component.\n\n**git2table** \\\nThis command creates a CSV table of git commits with 6 columns, `bomref`, `type` (which should always be commit), `name`, `commit-author`, `commit-message`, and `commit-timestamp`, for each commit in the SBOM.\n\n**version**\ndisplays the current version information\n",
"bugtrack_url": null,
"license": "Apache License, Version 2.0",
"summary": "cli tool for analyzing sbom files",
"version": "1.0.3",
"project_urls": {
"Homepage": "https://github.com/eyalarkin/csbom/tree/main"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "5e3ca31649f9b9f15580e39128c4ea91ffe7d235bba769bc5b82eec0af2b216b",
"md5": "3424d8b2e4177ed46c51310b412d5793",
"sha256": "c8e14c66b820804be601f06062f1c9ff4b472c7dd01dc69713ae15fd35f043cb"
},
"downloads": -1,
"filename": "csbom-1.0.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "3424d8b2e4177ed46c51310b412d5793",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.7",
"size": 10645,
"upload_time": "2023-11-16T17:48:27",
"upload_time_iso_8601": "2023-11-16T17:48:27.755708Z",
"url": "https://files.pythonhosted.org/packages/5e/3c/a31649f9b9f15580e39128c4ea91ffe7d235bba769bc5b82eec0af2b216b/csbom-1.0.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-11-16 17:48:27",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "eyalarkin",
"github_project": "csbom",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "click",
"specs": [
[
">=",
"7.1.2"
]
]
}
],
"lcname": "csbom"
}
JSON
