sbom4rust


Namesbom4rust JSON
Version 0.5.2 PyPI version JSON
download
home_pagehttps://github.com/anthonyharrison/sbom4rust
SummarySBOM generator for Rust modules
upload_time2024-08-01 10:10:07
maintainerAnthony Harrison
docs_urlNone
authorAnthony Harrison
requires_python>=3.7
licenseApache-2.0
keywords security tools sbom devsecops spdx cyclonedx rust
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # SBOM4Rust

SBOM4Rust generates a SBOM (Software Bill of Materials) for Rust application or library in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
It identifies all the dependent components which are explicity defined in the `Cargo.lock` file and reports the relationships between the components.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained
and also to support subsequent audit needs to determine if a particular component (and version) has been used.

## Installation

To install use the following command:

`pip install sbom4rust`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

## Usage

```
usage: sbom4rust [-h] [-d DEPENDENCY] [-a APPLICATION] [--debug]
                 [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}]
                 [-o OUTPUT_FILE] [-V]
```

```
options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -d DEPENDENCY, --dependency DEPENDENCY
                        Directory containing Cargo.lock dependency file
  -a APPLICATION, --application APPLICATION
                        Name of application

Output:
  --debug               add debug information
  --sbom {spdx,cyclonedx}
                        specify type of sbom to generate (default: spdx)
  --format {tag,json,yaml}
                        format for SPDX software bill of materials (sbom) (default: tag)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)

```
					
## Operation

The `--dependency` option is used to identify the directory containing the `Cargo.lock` dependency file.
If this option is not specified, the current directory is assumed.

The `--application` option is used to specify an application within the `Cargo.lock` dependency file. This option must be specified.

The `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option
can be used to specify the formatting of the SPDX SBOM (the default is Tag Value format but JSON and YAML format are also supported).
All CycloneDX SBOMs are generated in JSON format.

The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).

All module licences are reported as 'NOASSERTION'. All module suppliers are reported as 'UNKNOWN'.

## Licence

Licenced under the Apache 2.0 Licence.

## Limitations

This tool is meant to support software development and security audit functions. The usefulness of the tool is dependent on the SBOM data
which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool
are therefore reminded that they should assert the quality of any data which is provided to the tool.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/anthonyharrison/sbom4rust",
    "name": "sbom4rust",
    "maintainer": "Anthony Harrison",
    "docs_url": null,
    "requires_python": ">=3.7",
    "maintainer_email": "anthony.p.harrison@gmail.com",
    "keywords": "security, tools, SBOM, DevSecOps, SPDX, CycloneDX, Rust",
    "author": "Anthony Harrison",
    "author_email": "anthony.p.harrison@gmail.com",
    "download_url": null,
    "platform": null,
    "description": "# SBOM4Rust\n\nSBOM4Rust generates a SBOM (Software Bill of Materials) for Rust application or library in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\nIt identifies all the dependent components which are explicity defined in the `Cargo.lock` file and reports the relationships between the components.\n\nIt is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained\nand also to support subsequent audit needs to determine if a particular component (and version) has been used.\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbom4rust`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```\nusage: sbom4rust [-h] [-d DEPENDENCY] [-a APPLICATION] [--debug]\n                 [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}]\n                 [-o OUTPUT_FILE] [-V]\n```\n\n```\noptions:\n  -h, --help            show this help message and exit\n  -V, --version         show program's version number and exit\n\nInput:\n  -d DEPENDENCY, --dependency DEPENDENCY\n                        Directory containing Cargo.lock dependency file\n  -a APPLICATION, --application APPLICATION\n                        Name of application\n\nOutput:\n  --debug               add debug information\n  --sbom {spdx,cyclonedx}\n                        specify type of sbom to generate (default: spdx)\n  --format {tag,json,yaml}\n                        format for SPDX software bill of materials (sbom) (default: tag)\n  -o OUTPUT_FILE, --output-file OUTPUT_FILE\n                        output filename (default: output to stdout)\n\n```\n\t\t\t\t\t\n## Operation\n\nThe `--dependency` option is used to identify the directory containing the `Cargo.lock` dependency file.\nIf this option is not specified, the current directory is assumed.\n\nThe `--application` option is used to specify an application within the `Cargo.lock` dependency file. This option must be specified.\n\nThe `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option\ncan be used to specify the formatting of the SPDX SBOM (the default is Tag Value format but JSON and YAML format are also supported).\nAll CycloneDX SBOMs are generated in JSON format.\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\nAll module licences are reported as 'NOASSERTION'. All module suppliers are reported as 'UNKNOWN'.\n\n## Licence\n\nLicenced under the Apache 2.0 Licence.\n\n## Limitations\n\nThis tool is meant to support software development and security audit functions. The usefulness of the tool is dependent on the SBOM data\nwhich is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool\nare therefore reminded that they should assert the quality of any data which is provided to the tool.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
    "bugtrack_url": null,
    "license": "Apache-2.0",
    "summary": "SBOM generator for Rust modules",
    "version": "0.5.2",
    "project_urls": {
        "Homepage": "https://github.com/anthonyharrison/sbom4rust"
    },
    "split_keywords": [
        "security",
        " tools",
        " sbom",
        " devsecops",
        " spdx",
        " cyclonedx",
        " rust"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "e1fa0bfbf96af26e359dd4c3be5c5306a6bea7728859da423e6acac9fbf7f949",
                "md5": "bc6076a96eb4f5fdb151e0282b693975",
                "sha256": "7e39df080bf33c553ec17890d5fa33d9f79787e82f8322a4eb4881348c63a011"
            },
            "downloads": -1,
            "filename": "sbom4rust-0.5.2-py2.py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "bc6076a96eb4f5fdb151e0282b693975",
            "packagetype": "bdist_wheel",
            "python_version": "py2.py3",
            "requires_python": ">=3.7",
            "size": 12165,
            "upload_time": "2024-08-01T10:10:07",
            "upload_time_iso_8601": "2024-08-01T10:10:07.740118Z",
            "url": "https://files.pythonhosted.org/packages/e1/fa/0bfbf96af26e359dd4c3be5c5306a6bea7728859da423e6acac9fbf7f949/sbom4rust-0.5.2-py2.py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-08-01 10:10:07",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "anthonyharrison",
    "github_project": "sbom4rust",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "requirements": [],
    "tox": true,
    "lcname": "sbom4rust"
}
        
Elapsed time: 4.09917s