# SBOM2DOT
SBOM2DOT generates a dependency graph of the components within an SBOM (Software Bill of Materials). The format of the graph
file is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the
[GraphViz](https://graphviz.org/) application. SBOMs are supported in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
## Installation
To install use the following command:
`pip install sbom2dot`
Alternatively, just clone the repo and install dependencies using the following command:
`pip install -U -r requirements.txt`
The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
## Usage
```
usage: sbom2dot [-h] [-i INPUT_FILE] [--debug] [-o OUTPUT_FILE] [-V]
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
-i INPUT_FILE, --input-file INPUT_FILE
Name of SBOM file
Output:
--debug add debug information
-o OUTPUT_FILE, --output-file OUTPUT_FILE
output filename (default: output to stdout)
```
## Operation
The `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to
the following filename conventions.
| SBOM | Format | Filename extension |
| --------- | --------- |--------------------|
| SPDX | TagValue | .spdx |
| SPDX | JSON | .spdx.json |
| SPDX | YAML | .spdx.yaml |
| SPDX | YAML | .spdx.yml |
| CycloneDX | JSON | .json |
The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but it can be stored in a file (specified using `--output-file` option).
The format of the file is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the
[GraphViz](https://graphviz.org/) application.
## Example
Given the following SBOM (flask.spdx)
```
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: flask
DocumentNamespace: http://spdx.org/spdxdocs/flask-529abb33-fcd0-4d40-9de8-38e97ff00df9
LicenseListVersion: 3.18
Creator: Tool: sbom4python-0.7.0
Created: 2023-01-27T16:16:26Z
CreatorComment: <text>This document has been automatically generated.</text>
PackageName: flask
SPDXID: SPDXRef-Package-1-flask
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/flask@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:flask:2.2.2:*:*:*:*:*:*:*
PackageName: click
SPDXID: SPDXRef-Package-2-click
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 8.0.3
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/click@8.0.3
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:click:8.0.3:*:*:*:*:*:*:*
PackageName: itsdangerous
SPDXID: SPDXRef-Package-3-itsdangerous
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/itsdangerous@2.1.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:itsdangerous:2.1.2:*:*:*:*:*:*:*
PackageName: jinja2
SPDXID: SPDXRef-Package-4-jinja2
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 3.0.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jinja2@3.0.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.0.2:*:*:*:*:*:*:*
PackageName: markupsafe
SPDXID: SPDXRef-Package-5-markupsafe
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:markupsafe:2.1.1:*:*:*:*:*:*:*
PackageName: werkzeug
SPDXID: SPDXRef-Package-6-werkzeug
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/werkzeug@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:werkzeug:2.2.2:*:*:*:*:*:*:*
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-flask
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-2-click
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-3-itsdangerous
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-4-jinja2
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-6-werkzeug
Relationship: SPDXRef-Package-4-jinja2 DEPENDS_ON SPDXRef-Package-5-markupsafe
Relationship: SPDXRef-Package-6-werkzeug DEPENDS_ON SPDXRef-Package-5-markupsafe
```
The following commands will generate the dependency graph for the SBOM in PNG format.
```
sbom2dot --input flask.spdx --output flask.dot
dot -Tpng -o flask.png flask.dot
```
## Licence
Licenced under the Apache 2.0 Licence.
## Limitations
The tool has the following limitations
- No output will be generated if there are no relationships defined in the SBOM.
- SBOMs in RDF (SPDX) and XML (SPDX and CycloneDX) formats are not supported.
- Invalid SBOMs will result in unpredictable results.
- The generated dependency graph is likely to be unreadable with a large number of relationships.
## Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Raw data
{
"_id": null,
"home_page": "https://github.com/anthonyharrison/sbom2dot",
"name": "sbom2dot",
"maintainer": "Anthony Harrison",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "anthony.p.harrison@gmail.com",
"keywords": "security,tools,SBOM,DevSecOps,SPDX,CycloneDX,dot,graphviz",
"author": "Anthony Harrison",
"author_email": "anthony.p.harrison@gmail.com",
"download_url": "",
"platform": null,
"description": "# SBOM2DOT\n\nSBOM2DOT generates a dependency graph of the components within an SBOM (Software Bill of Materials). The format of the graph\nfile is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the\n[GraphViz](https://graphviz.org/) application. SBOMs are supported in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbom2dot`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```\nusage: sbom2dot [-h] [-i INPUT_FILE] [--debug] [-o OUTPUT_FILE] [-V]\n\noptions:\n -h, --help show this help message and exit\n -V, --version show program's version number and exit\n\nInput:\n -i INPUT_FILE, --input-file INPUT_FILE\n Name of SBOM file\n\nOutput:\n --debug add debug information\n -o OUTPUT_FILE, --output-file OUTPUT_FILE\n output filename (default: output to stdout)\n```\n\t\t\t\t\t\n## Operation\n\nThe `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to\nthe following filename conventions.\n\n| SBOM | Format | Filename extension |\n| --------- | --------- |--------------------|\n| SPDX | TagValue | .spdx |\n| SPDX | JSON | .spdx.json |\n| SPDX | YAML | .spdx.yaml |\n| SPDX | YAML | .spdx.yml |\n| CycloneDX | JSON | .json |\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but it can be stored in a file (specified using `--output-file` option).\nThe format of the file is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the\n[GraphViz](https://graphviz.org/) application.\n\n## Example\n\nGiven the following SBOM (flask.spdx)\n\n```\nSPDXVersion: SPDX-2.2\nDataLicense: CC0-1.0\nSPDXID: SPDXRef-DOCUMENT\nDocumentName: flask\nDocumentNamespace: http://spdx.org/spdxdocs/flask-529abb33-fcd0-4d40-9de8-38e97ff00df9\nLicenseListVersion: 3.18\nCreator: Tool: sbom4python-0.7.0\nCreated: 2023-01-27T16:16:26Z\nCreatorComment: <text>This document has been automatically generated.</text>\n\nPackageName: flask\nSPDXID: SPDXRef-Package-1-flask\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 2.2.2\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/flask@2.2.2\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:flask:2.2.2:*:*:*:*:*:*:*\n\nPackageName: click\nSPDXID: SPDXRef-Package-2-click\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 8.0.3\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/click@8.0.3\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:click:8.0.3:*:*:*:*:*:*:*\n\nPackageName: itsdangerous\nSPDXID: SPDXRef-Package-3-itsdangerous\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 2.1.2\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/itsdangerous@2.1.2\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:itsdangerous:2.1.2:*:*:*:*:*:*:*\n\nPackageName: jinja2\nSPDXID: SPDXRef-Package-4-jinja2\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 3.0.2\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/jinja2@3.0.2\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.0.2:*:*:*:*:*:*:*\n\nPackageName: markupsafe\nSPDXID: SPDXRef-Package-5-markupsafe\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 2.1.1\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.1\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:markupsafe:2.1.1:*:*:*:*:*:*:*\n\nPackageName: werkzeug\nSPDXID: SPDXRef-Package-6-werkzeug\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 2.2.2\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/werkzeug@2.2.2\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:werkzeug:2.2.2:*:*:*:*:*:*:*\nRelationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-flask\nRelationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-2-click\nRelationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-3-itsdangerous\nRelationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-4-jinja2\nRelationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-6-werkzeug\nRelationship: SPDXRef-Package-4-jinja2 DEPENDS_ON SPDXRef-Package-5-markupsafe\nRelationship: SPDXRef-Package-6-werkzeug DEPENDS_ON SPDXRef-Package-5-markupsafe\n\n```\n\nThe following commands will generate the dependency graph for the SBOM in PNG format.\n\n```\nsbom2dot --input flask.spdx --output flask.dot\ndot -Tpng -o flask.png flask.dot\n```\n\n\n\n## Licence\n\nLicenced under the Apache 2.0 Licence.\n\n## Limitations\n\nThe tool has the following limitations\n\n- No output will be generated if there are no relationships defined in the SBOM. \n\n- SBOMs in RDF (SPDX) and XML (SPDX and CycloneDX) formats are not supported.\n\n- Invalid SBOMs will result in unpredictable results.\n\n- The generated dependency graph is likely to be unreadable with a large number of relationships.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Create a dependency graph of the components within a SBOM",
"version": "0.3.0",
"project_urls": {
"Homepage": "https://github.com/anthonyharrison/sbom2dot"
},
"split_keywords": [
"security",
"tools",
"sbom",
"devsecops",
"spdx",
"cyclonedx",
"dot",
"graphviz"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "1c4acbecbed3088232957429969f7719989d36d70c49f952b0f09daf43cb5267",
"md5": "becb10054400ef8e321639744adf2c73",
"sha256": "58e368fb68abc027d0f823e64b41daadad2440243c6541a5ffa9e87c1f611870"
},
"downloads": -1,
"filename": "sbom2dot-0.3.0-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "becb10054400ef8e321639744adf2c73",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": ">=3.7",
"size": 6290,
"upload_time": "2023-07-24T17:56:49",
"upload_time_iso_8601": "2023-07-24T17:56:49.595622Z",
"url": "https://files.pythonhosted.org/packages/1c/4a/cbecbed3088232957429969f7719989d36d70c49f952b0f09daf43cb5267/sbom2dot-0.3.0-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-07-24 17:56:49",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "anthonyharrison",
"github_project": "sbom2dot",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"tox": true,
"lcname": "sbom2dot"
}
JSON
