sbom4python


Namesbom4python JSON
Version 0.12.1 PyPI version JSON
download
home_pagehttps://github.com/anthonyharrison/sbom4python
SummarySBOM generator for Python modules
upload_time2024-12-10 19:01:24
maintainerAnthony Harrison
docs_urlNone
authorAnthony Harrison
requires_python>=3.7
licenseApache-2.0
keywords security tools sbom devsecops spdx cyclonedx
VCS
bugtrack_url
requirements lib4sbom sbom4files sbom2dot lib4package importlib_metadata toml
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # SBOM4Python

The SBOM4Python is a free, open source tool to generate a
SBOM (Software Bill of Materials) for an installed Python module in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
It identifies all of the dependent components which are
explicity defined (typically via requirements.txt file) or implicitly as a
hidden dependency.

It can also be used to create a SBOM from a requirements.txt file. In this case no transitive components will be identified.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained
and also to support subsequent audit needs to determine if a particular component (and version) has been used.

## Installation

To install use the following command:

`pip install sbom4python`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

### Issues with Installation

If you get the following error

`ImportError: failed to find libmagic.  Check your installation`

This is because of a mismatch with the installation of the magic library. To resolve, please issue the following commands depending on your environment

#### Windows

```bash
pip uninstall python-magic
pip uninstall python-magic-bin

pip install python-magic
pip install python-magic-bin
```

#### Linxu based system

Install `libmagic` using a package manager, for example

```bash
apt install libmagic-dev
```

#### MacOS

Install `libmagic` using a package manager, for example

```bash
brew install libmagic
```

## Usage

```bash
usage: sbom4python [-h] [-m MODULE] [--system] [--exclude-license] [--include-file] [-d] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-g GRAPH] [-V]

SBOM4Python generates a Software Bill of Materials for the specified installed Python module identifying all of the dependent components which are explicity defined (typically via requirements.txt file)
or implicitly as a hidden dependency.

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -m MODULE, --module MODULE
                        identity of python module
  -r REQUIREMENT, --requirement REQUIREMENT
                        name of requirements.txt file
  --system              include all installed python modules within system
  --exclude-license     suppress detecting the license of components
  --include-file        include reporting files associated with module

Output:
  -d, --debug           add debug information
  --sbom {spdx,cyclonedx}
                        specify type of sbom to generate (default: spdx)
  --format {tag,json,yaml}
                        specify format of software bill of materials (sbom) (default: tag)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)
  -g GRAPH, --graph GRAPH
                        filename for dependency graph
```
						
## Operation

The `--module` option is used to identify the Python module. The `--system` option is used to indicate that the SBOM is to include all installed
Python modules.

The `--requirement` option is used to create an SBOM from a requirements.txt, pyproject.toml, setup.cfg or setup.py file. Whilst the filenames may be different e.g. requirements_test.txt can be specified, it is the file extension which determines the identification of the dependencies. Using this option will result in no transitive dependencies being
identified.

One of `--module`,  `--requirement` or `--system` must be specified. If multiple options are specified, the order of priority is `--module`, `--system` and `--requirement`.

The `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option
can be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both
SPDX and CycloneDX SBOMs).

The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).

The tool attempts to determine the license of each module. This can be suppressed using the `--exclude-license` option in
which case all licences are reported as 'NOASSERTION'.

The tool can optionally include the files associated with the installed module. This can be specified using the `--include-file` option. As the filenames are
relative to the directory in which the tool is invoked, it is recommended that the tool is launched in a directory where the source files are available.

The `--graph` option is used to generate a dependency graph of the components within the SBOM. The format of the graph
file is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the
[GraphViz](https://graphviz.org/) application.

## Licence

Licenced under the Apache 2.0 Licence.

The tool uses a local copy of the [SPDX Licenses List](https://github.com/spdx/license-list-data) which is released under
[Creative Commons Attribution 3.0 (CC-BY-3.0)](http://creativecommons.org/licenses/by/3.0/).

## Limitations

This tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the SBOM data
which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool
are therefore reminded that they should assert the quality of any data which is provided to the tool.

The `--requirement` option will only report the package version for pinned dependencies.

When processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct [SPDX License Identifiers](https://spdx.org/licenses/). However, the
user of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.

Whilst [PURL](https://github.com/package-url/purl-spec) and [CPE](https://nvd.nist.gov/products/cpe) references are automatically generated for each Python module, the accuracy
of such references cannot be guaranteed as they are dependent on the validity of the data associated with the Python module.

Network access is required to populate some of the package metadata. If this is not available, a limited amount of package metadata will be included.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/anthonyharrison/sbom4python",
    "name": "sbom4python",
    "maintainer": "Anthony Harrison",
    "docs_url": null,
    "requires_python": ">=3.7",
    "maintainer_email": "anthony.p.harrison@gmail.com",
    "keywords": "security, tools, SBOM, DevSecOps, SPDX, CycloneDX",
    "author": "Anthony Harrison",
    "author_email": "anthony.p.harrison@gmail.com",
    "download_url": null,
    "platform": null,
    "description": "# SBOM4Python\n\nThe SBOM4Python is a free, open source tool to generate a\nSBOM (Software Bill of Materials) for an installed Python module in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\nIt identifies all of the dependent components which are\nexplicity defined (typically via requirements.txt file) or implicitly as a\nhidden dependency.\n\nIt can also be used to create a SBOM from a requirements.txt file. In this case no transitive components will be identified.\n\nIt is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained\nand also to support subsequent audit needs to determine if a particular component (and version) has been used.\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbom4python`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n### Issues with Installation\n\nIf you get the following error\n\n`ImportError: failed to find libmagic.  Check your installation`\n\nThis is because of a mismatch with the installation of the magic library. To resolve, please issue the following commands depending on your environment\n\n#### Windows\n\n```bash\npip uninstall python-magic\npip uninstall python-magic-bin\n\npip install python-magic\npip install python-magic-bin\n```\n\n#### Linxu based system\n\nInstall `libmagic` using a package manager, for example\n\n```bash\napt install libmagic-dev\n```\n\n#### MacOS\n\nInstall `libmagic` using a package manager, for example\n\n```bash\nbrew install libmagic\n```\n\n## Usage\n\n```bash\nusage: sbom4python [-h] [-m MODULE] [--system] [--exclude-license] [--include-file] [-d] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-g GRAPH] [-V]\n\nSBOM4Python generates a Software Bill of Materials for the specified installed Python module identifying all of the dependent components which are explicity defined (typically via requirements.txt file)\nor implicitly as a hidden dependency.\n\noptions:\n  -h, --help            show this help message and exit\n  -V, --version         show program's version number and exit\n\nInput:\n  -m MODULE, --module MODULE\n                        identity of python module\n  -r REQUIREMENT, --requirement REQUIREMENT\n                        name of requirements.txt file\n  --system              include all installed python modules within system\n  --exclude-license     suppress detecting the license of components\n  --include-file        include reporting files associated with module\n\nOutput:\n  -d, --debug           add debug information\n  --sbom {spdx,cyclonedx}\n                        specify type of sbom to generate (default: spdx)\n  --format {tag,json,yaml}\n                        specify format of software bill of materials (sbom) (default: tag)\n  -o OUTPUT_FILE, --output-file OUTPUT_FILE\n                        output filename (default: output to stdout)\n  -g GRAPH, --graph GRAPH\n                        filename for dependency graph\n```\n\t\t\t\t\t\t\n## Operation\n\nThe `--module` option is used to identify the Python module. The `--system` option is used to indicate that the SBOM is to include all installed\nPython modules.\n\nThe `--requirement` option is used to create an SBOM from a requirements.txt, pyproject.toml, setup.cfg or setup.py file. Whilst the filenames may be different e.g. requirements_test.txt can be specified, it is the file extension which determines the identification of the dependencies. Using this option will result in no transitive dependencies being\nidentified.\n\nOne of `--module`,  `--requirement` or `--system` must be specified. If multiple options are specified, the order of priority is `--module`, `--system` and `--requirement`.\n\nThe `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option\ncan be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both\nSPDX and CycloneDX SBOMs).\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\nThe tool attempts to determine the license of each module. This can be suppressed using the `--exclude-license` option in\nwhich case all licences are reported as 'NOASSERTION'.\n\nThe tool can optionally include the files associated with the installed module. This can be specified using the `--include-file` option. As the filenames are\nrelative to the directory in which the tool is invoked, it is recommended that the tool is launched in a directory where the source files are available.\n\nThe `--graph` option is used to generate a dependency graph of the components within the SBOM. The format of the graph\nfile is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the\n[GraphViz](https://graphviz.org/) application.\n\n## Licence\n\nLicenced under the Apache 2.0 Licence.\n\nThe tool uses a local copy of the [SPDX Licenses List](https://github.com/spdx/license-list-data) which is released under\n[Creative Commons Attribution 3.0 (CC-BY-3.0)](http://creativecommons.org/licenses/by/3.0/).\n\n## Limitations\n\nThis tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the SBOM data\nwhich is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool\nare therefore reminded that they should assert the quality of any data which is provided to the tool.\n\nThe `--requirement` option will only report the package version for pinned dependencies.\n\nWhen processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct [SPDX License Identifiers](https://spdx.org/licenses/). However, the\nuser of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.\n\nWhilst [PURL](https://github.com/package-url/purl-spec) and [CPE](https://nvd.nist.gov/products/cpe) references are automatically generated for each Python module, the accuracy\nof such references cannot be guaranteed as they are dependent on the validity of the data associated with the Python module.\n\nNetwork access is required to populate some of the package metadata. If this is not available, a limited amount of package metadata will be included.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
    "bugtrack_url": null,
    "license": "Apache-2.0",
    "summary": "SBOM generator for Python modules",
    "version": "0.12.1",
    "project_urls": {
        "Homepage": "https://github.com/anthonyharrison/sbom4python"
    },
    "split_keywords": [
        "security",
        " tools",
        " sbom",
        " devsecops",
        " spdx",
        " cyclonedx"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "8502083cf90f1880143cfa1c4201651ed2e3ba814bb87054188dd4e82f6ea55e",
                "md5": "855008a3df38f68a1204e9015af55f16",
                "sha256": "c7e3cba40dc7e3224cdadda6ff66b34002d4a7d46799320ccdcc05ed64950e56"
            },
            "downloads": -1,
            "filename": "sbom4python-0.12.1-py2.py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "855008a3df38f68a1204e9015af55f16",
            "packagetype": "bdist_wheel",
            "python_version": "py2.py3",
            "requires_python": ">=3.7",
            "size": 45436,
            "upload_time": "2024-12-10T19:01:24",
            "upload_time_iso_8601": "2024-12-10T19:01:24.591481Z",
            "url": "https://files.pythonhosted.org/packages/85/02/083cf90f1880143cfa1c4201651ed2e3ba814bb87054188dd4e82f6ea55e/sbom4python-0.12.1-py2.py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-12-10 19:01:24",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "anthonyharrison",
    "github_project": "sbom4python",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "requirements": [
        {
            "name": "lib4sbom",
            "specs": [
                [
                    ">=",
                    "0.8.0"
                ]
            ]
        },
        {
            "name": "sbom4files",
            "specs": [
                [
                    ">=",
                    "0.4.4"
                ]
            ]
        },
        {
            "name": "sbom2dot",
            "specs": [
                [
                    ">=",
                    "0.3.0"
                ]
            ]
        },
        {
            "name": "lib4package",
            "specs": [
                [
                    ">=",
                    "0.3.1"
                ]
            ]
        },
        {
            "name": "importlib_metadata",
            "specs": [
                [
                    ">=",
                    "3.6"
                ]
            ]
        },
        {
            "name": "toml",
            "specs": []
        }
    ],
    "tox": true,
    "lcname": "sbom4python"
}
        
Elapsed time: 0.42493s