sbom2dot


Namesbom2dot JSON
Version 0.3.1 PyPI version JSON
download
home_pagehttps://github.com/anthonyharrison/sbom2dot
SummaryCreate a dependency graph of the components within a SBOM
upload_time2024-08-29 20:25:06
maintainerAnthony Harrison
docs_urlNone
authorAnthony Harrison
requires_python>=3.7
licenseApache-2.0
keywords security tools sbom devsecops spdx cyclonedx dot graphviz
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # SBOM2DOT

SBOM2DOT generates a dependency graph of the components within an SBOM (Software Bill of Materials). The format of the graph
file is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the
[GraphViz](https://graphviz.org/) application. SBOMs are supported in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).

## Installation

To install use the following command:

`pip install sbom2dot`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

## Usage

```
usage: sbom2dot [-h] [-i INPUT_FILE] [--debug] [-o OUTPUT_FILE] [-V]

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -i INPUT_FILE, --input-file INPUT_FILE
                        Name of SBOM file

Output:
  --debug               add debug information
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)
```
					
## Operation

The `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to
the following filename conventions.

| SBOM      | Format    | Filename extension |
| --------- | --------- |--------------------|
| SPDX      | TagValue  | .spdx              |
| SPDX      | JSON      | .spdx.json         |
| SPDX      | YAML      | .spdx.yaml         |
| SPDX      | YAML      | .spdx.yml          |
| CycloneDX | JSON      | .json              |

The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but it can be stored in a file (specified using `--output-file` option).
The format of the file is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the
[GraphViz](https://graphviz.org/) application.

## Example

Given the following SBOM (flask.spdx)

```
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: flask
DocumentNamespace: http://spdx.org/spdxdocs/flask-529abb33-fcd0-4d40-9de8-38e97ff00df9
LicenseListVersion: 3.18
Creator: Tool: sbom4python-0.7.0
Created: 2023-01-27T16:16:26Z
CreatorComment: <text>This document has been automatically generated.</text>

PackageName: flask
SPDXID: SPDXRef-Package-1-flask
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/flask@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:flask:2.2.2:*:*:*:*:*:*:*

PackageName: click
SPDXID: SPDXRef-Package-2-click
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 8.0.3
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/click@8.0.3
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:click:8.0.3:*:*:*:*:*:*:*

PackageName: itsdangerous
SPDXID: SPDXRef-Package-3-itsdangerous
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/itsdangerous@2.1.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:itsdangerous:2.1.2:*:*:*:*:*:*:*

PackageName: jinja2
SPDXID: SPDXRef-Package-4-jinja2
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 3.0.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jinja2@3.0.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.0.2:*:*:*:*:*:*:*

PackageName: markupsafe
SPDXID: SPDXRef-Package-5-markupsafe
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:markupsafe:2.1.1:*:*:*:*:*:*:*

PackageName: werkzeug
SPDXID: SPDXRef-Package-6-werkzeug
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/werkzeug@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:werkzeug:2.2.2:*:*:*:*:*:*:*
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-flask
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-2-click
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-3-itsdangerous
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-4-jinja2
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-6-werkzeug
Relationship: SPDXRef-Package-4-jinja2 DEPENDS_ON SPDXRef-Package-5-markupsafe
Relationship: SPDXRef-Package-6-werkzeug DEPENDS_ON SPDXRef-Package-5-markupsafe

```

The following commands will generate the dependency graph for the SBOM in PNG format.

```
sbom2dot --input flask.spdx --output flask.dot
dot -Tpng -o flask.png flask.dot
```

![Dependency Graph](flask.png)

## Licence

Licenced under the Apache 2.0 Licence.

## Limitations

The tool has the following limitations

- No output will be generated if there are no relationships defined in the SBOM. 

- SBOMs in RDF (SPDX) and XML (SPDX and CycloneDX) formats are not supported.

- Invalid SBOMs will result in unpredictable results.

- The generated dependency graph is likely to be unreadable with a large number of relationships.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/anthonyharrison/sbom2dot",
    "name": "sbom2dot",
    "maintainer": "Anthony Harrison",
    "docs_url": null,
    "requires_python": ">=3.7",
    "maintainer_email": "anthony.p.harrison@gmail.com",
    "keywords": "security, tools, SBOM, DevSecOps, SPDX, CycloneDX, dot, graphviz",
    "author": "Anthony Harrison",
    "author_email": "anthony.p.harrison@gmail.com",
    "download_url": null,
    "platform": null,
    "description": "# SBOM2DOT\n\nSBOM2DOT generates a dependency graph of the components within an SBOM (Software Bill of Materials). The format of the graph\nfile is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the\n[GraphViz](https://graphviz.org/) application. SBOMs are supported in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbom2dot`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```\nusage: sbom2dot [-h] [-i INPUT_FILE] [--debug] [-o OUTPUT_FILE] [-V]\n\noptions:\n  -h, --help            show this help message and exit\n  -V, --version         show program's version number and exit\n\nInput:\n  -i INPUT_FILE, --input-file INPUT_FILE\n                        Name of SBOM file\n\nOutput:\n  --debug               add debug information\n  -o OUTPUT_FILE, --output-file OUTPUT_FILE\n                        output filename (default: output to stdout)\n```\n\t\t\t\t\t\n## Operation\n\nThe `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to\nthe following filename conventions.\n\n| SBOM      | Format    | Filename extension |\n| --------- | --------- |--------------------|\n| SPDX      | TagValue  | .spdx              |\n| SPDX      | JSON      | .spdx.json         |\n| SPDX      | YAML      | .spdx.yaml         |\n| SPDX      | YAML      | .spdx.yml          |\n| CycloneDX | JSON      | .json              |\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but it can be stored in a file (specified using `--output-file` option).\nThe format of the file is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the\n[GraphViz](https://graphviz.org/) application.\n\n## Example\n\nGiven the following SBOM (flask.spdx)\n\n```\nSPDXVersion: SPDX-2.2\nDataLicense: CC0-1.0\nSPDXID: SPDXRef-DOCUMENT\nDocumentName: flask\nDocumentNamespace: http://spdx.org/spdxdocs/flask-529abb33-fcd0-4d40-9de8-38e97ff00df9\nLicenseListVersion: 3.18\nCreator: Tool: sbom4python-0.7.0\nCreated: 2023-01-27T16:16:26Z\nCreatorComment: <text>This document has been automatically generated.</text>\n\nPackageName: flask\nSPDXID: SPDXRef-Package-1-flask\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 2.2.2\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/flask@2.2.2\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:flask:2.2.2:*:*:*:*:*:*:*\n\nPackageName: click\nSPDXID: SPDXRef-Package-2-click\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 8.0.3\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/click@8.0.3\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:click:8.0.3:*:*:*:*:*:*:*\n\nPackageName: itsdangerous\nSPDXID: SPDXRef-Package-3-itsdangerous\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 2.1.2\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/itsdangerous@2.1.2\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:itsdangerous:2.1.2:*:*:*:*:*:*:*\n\nPackageName: jinja2\nSPDXID: SPDXRef-Package-4-jinja2\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 3.0.2\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/jinja2@3.0.2\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.0.2:*:*:*:*:*:*:*\n\nPackageName: markupsafe\nSPDXID: SPDXRef-Package-5-markupsafe\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 2.1.1\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.1\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:markupsafe:2.1.1:*:*:*:*:*:*:*\n\nPackageName: werkzeug\nSPDXID: SPDXRef-Package-6-werkzeug\nPackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)\nPackageVersion: 2.2.2\nPackageDownloadLocation: NOASSERTION\nFilesAnalyzed: false\nPackageLicenseConcluded: BSD-3-Clause\nPackageLicenseDeclared: BSD-3-Clause\nPackageCopyrightText: NOASSERTION\nExternalRef: PACKAGE-MANAGER purl pkg:pypi/werkzeug@2.2.2\nExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:werkzeug:2.2.2:*:*:*:*:*:*:*\nRelationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-flask\nRelationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-2-click\nRelationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-3-itsdangerous\nRelationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-4-jinja2\nRelationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-6-werkzeug\nRelationship: SPDXRef-Package-4-jinja2 DEPENDS_ON SPDXRef-Package-5-markupsafe\nRelationship: SPDXRef-Package-6-werkzeug DEPENDS_ON SPDXRef-Package-5-markupsafe\n\n```\n\nThe following commands will generate the dependency graph for the SBOM in PNG format.\n\n```\nsbom2dot --input flask.spdx --output flask.dot\ndot -Tpng -o flask.png flask.dot\n```\n\n![Dependency Graph](flask.png)\n\n## Licence\n\nLicenced under the Apache 2.0 Licence.\n\n## Limitations\n\nThe tool has the following limitations\n\n- No output will be generated if there are no relationships defined in the SBOM. \n\n- SBOMs in RDF (SPDX) and XML (SPDX and CycloneDX) formats are not supported.\n\n- Invalid SBOMs will result in unpredictable results.\n\n- The generated dependency graph is likely to be unreadable with a large number of relationships.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
    "bugtrack_url": null,
    "license": "Apache-2.0",
    "summary": "Create a dependency graph of the components within a SBOM",
    "version": "0.3.1",
    "project_urls": {
        "Homepage": "https://github.com/anthonyharrison/sbom2dot"
    },
    "split_keywords": [
        "security",
        " tools",
        " sbom",
        " devsecops",
        " spdx",
        " cyclonedx",
        " dot",
        " graphviz"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "def6fe8a597ae8e892afd92d74c6af2756869307bfa9cd4759ea0b0a6e886448",
                "md5": "f9d018472c3da4eece987a0783fa1706",
                "sha256": "df34753f72db11b220bbcdee945dbf06252d23aab8925338b05ffcf5ed28026c"
            },
            "downloads": -1,
            "filename": "sbom2dot-0.3.1-py2.py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "f9d018472c3da4eece987a0783fa1706",
            "packagetype": "bdist_wheel",
            "python_version": "py2.py3",
            "requires_python": ">=3.7",
            "size": 6358,
            "upload_time": "2024-08-29T20:25:06",
            "upload_time_iso_8601": "2024-08-29T20:25:06.285096Z",
            "url": "https://files.pythonhosted.org/packages/de/f6/fe8a597ae8e892afd92d74c6af2756869307bfa9cd4759ea0b0a6e886448/sbom2dot-0.3.1-py2.py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-08-29 20:25:06",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "anthonyharrison",
    "github_project": "sbom2dot",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "requirements": [],
    "tox": true,
    "lcname": "sbom2dot"
}
        
Elapsed time: 0.33568s