# SBOM4JS
The SBOM4Js is a free, open source tool to generate a
SBOM (Software Bill of Materials) for Javascript application in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
It identifies all of the dependent components which are
explicity defined (typically via requirements.txt file) or implicitly as a
hidden dependency.
It can also be used to create a SBOM from a package-lock.json file. In this case no transitive components will be identified.
It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained
and also to support subsequent audit needs to determine if a particular component (and version) has been used.
## Installation
To install use the following command:
`pip install sbom4js`
Alternatively, just clone the repo and install dependencies using the following command:
`pip install -U -r requirements.txt`
The tool requires Python 3 (3.9+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
## Usage
```bash
usage: sbom4js [-h] [-d DEPENDENCY] [--ignore] [--debug] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V]
SBOM4JS generates a Software Bill of Materials for a Javascript application identifying all of the dependent components.
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
-d DEPENDENCY, --dependency DEPENDENCY
Directory containing javascript dependency file
--ignore ignore missing dependencies
Output:
--debug add debug information
--sbom {spdx,cyclonedx}
specify type of sbom to generate (default: spdx)
--format {tag,json,yaml}
format for SPDX software bill of materials (sbom) (default: tag)
-o OUTPUT_FILE, --output-file OUTPUT_FILE
output filename (default: output to stdout)
```
## Operation
The `--dependency` option is used to identify the directory containing the `package-lock.json` dependency file.
If this option is not specified, the current directory is assumed.
The `--ignore` option is used to including any missing dependencies which are not fully specified in the dependency file.
The `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option
can be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both
SPDX and CycloneDX SBOMs).
The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).
The `--debug` option is used to generation debug information to the console.
## Licence
Licenced under the Apache 2.0 Licence.
The tool uses a local copy of the [SPDX Licenses List](https://github.com/spdx/license-list-data) which is released under
[Creative Commons Attribution 3.0 (CC-BY-3.0)](http://creativecommons.org/licenses/by/3.0/).
## Limitations
This tool is meant to support software development and security audit functions. However, the usefulness of the tool is dependent on the SBOM data
which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool
are therefore reminded that they should assert the quality of any data which is provided to the tool.
When processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct [SPDX License Identifiers](https://spdx.org/licenses/). However, the
user of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.
Whilst [PURL](https://github.com/package-url/purl-spec) and [CPE](https://nvd.nist.gov/products/cpe) references are automatically generated for each Javascript component, the accuracy
of such references cannot be guaranteed as they are dependent on the validity of the data associated with the Javascript component.
Network access is required to populate some package metadata. If this is not available, a limited amount of package metadata will be included.
## Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Raw data
{
"_id": null,
"home_page": "https://github.com/anthonyharrison/sbom4js",
"name": "sbom4js",
"maintainer": "Anthony Harrison",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "anthony.p.harrison@gmail.com",
"keywords": "security, tools, SBOM, DevSecOps, SPDX, CycloneDX, Javascript",
"author": "Anthony Harrison",
"author_email": "anthony.p.harrison@gmail.com",
"download_url": null,
"platform": null,
"description": "# SBOM4JS\n\nThe SBOM4Js is a free, open source tool to generate a\nSBOM (Software Bill of Materials) for Javascript application in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\nIt identifies all of the dependent components which are\nexplicity defined (typically via requirements.txt file) or implicitly as a\nhidden dependency.\n\nIt can also be used to create a SBOM from a package-lock.json file. In this case no transitive components will be identified.\n\nIt is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained\nand also to support subsequent audit needs to determine if a particular component (and version) has been used.\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbom4js`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.9+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```bash\nusage: sbom4js [-h] [-d DEPENDENCY] [--ignore] [--debug] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V]\n\nSBOM4JS generates a Software Bill of Materials for a Javascript application identifying all of the dependent components.\n\noptions:\n -h, --help show this help message and exit\n -V, --version show program's version number and exit\n\nInput:\n -d DEPENDENCY, --dependency DEPENDENCY\n Directory containing javascript dependency file\n --ignore ignore missing dependencies\n\nOutput:\n --debug add debug information\n --sbom {spdx,cyclonedx}\n specify type of sbom to generate (default: spdx)\n --format {tag,json,yaml}\n format for SPDX software bill of materials (sbom) (default: tag)\n -o OUTPUT_FILE, --output-file OUTPUT_FILE\n output filename (default: output to stdout)\n```\n\t\t\t\t\t\t\n## Operation\n\nThe `--dependency` option is used to identify the directory containing the `package-lock.json` dependency file.\nIf this option is not specified, the current directory is assumed.\n\nThe `--ignore` option is used to including any missing dependencies which are not fully specified in the dependency file.\n\nThe `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option\ncan be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both\nSPDX and CycloneDX SBOMs).\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\nThe `--debug` option is used to generation debug information to the console.\n\n## Licence\n\nLicenced under the Apache 2.0 Licence.\n\nThe tool uses a local copy of the [SPDX Licenses List](https://github.com/spdx/license-list-data) which is released under\n[Creative Commons Attribution 3.0 (CC-BY-3.0)](http://creativecommons.org/licenses/by/3.0/).\n\n## Limitations\n\nThis tool is meant to support software development and security audit functions. However, the usefulness of the tool is dependent on the SBOM data\nwhich is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool\nare therefore reminded that they should assert the quality of any data which is provided to the tool.\n\nWhen processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct [SPDX License Identifiers](https://spdx.org/licenses/). However, the\nuser of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.\n\nWhilst [PURL](https://github.com/package-url/purl-spec) and [CPE](https://nvd.nist.gov/products/cpe) references are automatically generated for each Javascript component, the accuracy\nof such references cannot be guaranteed as they are dependent on the validity of the data associated with the Javascript component.\n\nNetwork access is required to populate some package metadata. If this is not available, a limited amount of package metadata will be included.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "SBOM generator for Javascript modules",
"version": "0.1.2",
"project_urls": {
"Homepage": "https://github.com/anthonyharrison/sbom4js"
},
"split_keywords": [
"security",
" tools",
" sbom",
" devsecops",
" spdx",
" cyclonedx",
" javascript"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "57b220b381b2645f17d05e5bbb3b67a7b250aed098d841021210aa09fafe4712",
"md5": "99638f55fc0b7716ca138063bd6b310b",
"sha256": "d299baf2673810f9eb3dc92381ae419fd695b194f2fcf0ba380bf6f28905b26f"
},
"downloads": -1,
"filename": "sbom4js-0.1.2-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "99638f55fc0b7716ca138063bd6b310b",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": ">=3.8",
"size": 12988,
"upload_time": "2024-08-29T18:00:19",
"upload_time_iso_8601": "2024-08-29T18:00:19.778960Z",
"url": "https://files.pythonhosted.org/packages/57/b2/20b381b2645f17d05e5bbb3b67a7b250aed098d841021210aa09fafe4712/sbom4js-0.1.2-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-08-29 18:00:19",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "anthonyharrison",
"github_project": "sbom4js",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"tox": true,
"lcname": "sbom4js"
}
JSON
