# SBOMAUDIT
SBOMAUDIT reports on the quality of the contents of an SBOM (Software Bill of Materials) by performing a number of checks. SBOMs are supported in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
## Installation
To install use the following command:
`pip install sbomaudit`
Alternatively, just clone the repo and install dependencies using the following command:
`pip install -U -r requirements.txt`
The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
## Usage
```
usage: sbomaudit [-h] [-i INPUT_FILE] [--offline] [--cpecheck] [--purlcheck] [--disable-license-check] [--age AGE] [--maxage MAXAGE] [--allow ALLOW] [--deny DENY] [--verbose] [--debug] [-o OUTPUT_FILE] [-V]
SBOMAudit reports on the quality of the contents of a SBOM.
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
-i INPUT_FILE, --input-file INPUT_FILE
Name of SBOM file
--offline operate in offline mode
--cpecheck check for CPE specification
--purlcheck check for PURL specification
--disable-license-check
disable check for SPDX License identifier
--age AGE minimum age of package (as integer representing days) to report (default: 0)
--maxage MAXAGE maximum age of package (as integer representing years) to report (default: 2)
--allow ALLOW Name of allow list file
--deny DENY Name of deny list file
--verbose verbose reporting
Output:
--debug add debug information
-o OUTPUT_FILE, --output-file OUTPUT_FILE
output filename (default: output to stdout)
```
## Operation
The `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to
the following filename conventions.
| SBOM | Format | Filename extension |
| --------- |----------|--------------------|
| SPDX | TagValue | .spdx |
| SPDX | JSON | .spdx.json |
| SPDX | YAML | .spdx.yaml |
| SPDX | YAML | .spdx.yml |
| CycloneDX | JSON | .json |
| CycloneDX | XML | .xml |
The `--offline` option is used when the tool is used in an environment where access to external systems is not available. This means
that some audit checks are not performed.
The `--cpecheck` and `--purlcheck` options are used to enable additional checks related to a SBOM component.
The `--disable-license-check` option is used to disable the check that the licenses have valid [SPDX License identifiers](https://spdx.org/licenses/).
The `--age` option can be used to report if a recent release of a package is being used.
The `--maxage` option can be used to report if the release date of a package, which is not the latest version, is greater than the value specified. The default value is 2 years.
The `--allow` and `--deny` options are used to specify additional checks related to licenses and packages which are to be allowed or denied within a SBOM component.
An **_allow_** file contains the set of licenses and packages which to be contained within the SBOM; this may be useful to ensure that the SBOM does not contain any
unapproved licenses or packages not identified in a software design. A **_deny_** file is used to specify the licenses and packages which must not be contained within the SBOM.
The `--verbose` option can be used to report the results of all the checks performed; the default is just report failed checks and summaries.
The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).
### Allow and Deny list file formats
The files are text files consisting of two sections
- List of SPDX license identifiers
- Lst of Package names
Each section is optional.
These files can be used to enforce a development policy e.g. use the deny list to report on licences which are not approved.
In this sample allow file, this would only allow cemponents with the MIT, Apache-2.0 or BSD-3-Clause licenses.
It is also only expecting a single package 'click'.
```bash
# This is an example ALLOW list file for SBOMAUDIT
# Allowed licenses
[license]
MIT
Apache-2.0
BSD-3-Clause
# Allowed packages
[package]
click
```
## Checks Performed
The following section identifies the checks which are performed.
### SBOM Format
The following checks are performed:
- Check that the version of the SBOM is either version 2.2 or 2.3 (SPDX) or version 1.3, 1.4, 1.5 or 1.6 (CycloneDX).
- Check that a creator is defined.
- Check that the time that the SBOM is created is defined.
### Files
The following checks are performed for each file item:
- Check that a file name is specified.
- Check that the file type is specified.
- Check that a license is specified and that the license identified is a valid [SPDX License identifier](https://spdx.org/licenses/). Note that NOASSERTION is not considered a valid license.
- Check that the license is an [OSI Approved](https://opensource.org/licenses/) license.
- Optionally check that the license is allowed as specified in the ALLOW list
- Optionally check that the license is not included in the licenses specified in the DENY list
- Check that a copyright statement is specified. Note that NOASSERTION is not considered a valid copyright statement.
### Packages
The following checks are performed on each package item:
- Check that a package name is specified.
- Optionally check that the package name is allowed as specified in the ALLOW list
- Optionally check that the package name is not included in the packages specified in the DENY list
- Check that a supplier is specified.
- Check that a version is specified.
- Check that the package version is the latest released version of the package. The latest version checks are only performed if the `--offline` option is not specified.
- Check that a mature version of the package is being used as determined by the value specified in the `--age` option. The release date checks are only performed if the `--offline` option is not specified.
- Check the age of a package being used, which is not the latest released version, is greater than the value specified in the `--maxage` option.
The check is only performed if the `--offline` option is not specified.
- Check that a license is specified and that the license identified is a valid [SPDX License identifier](https://spdx.org/licenses/). Note that NOASSERTION is not considered a valid license.
- Check that the license is an [OSI Approved](https://opensource.org/licenses/) license.
- Optionally check that the license is allowed as specified in the ALLOW list
- Optionally check that the license is not included in the licenses specified in the DENY list
- Check that a [PURL specification](https://github.com/package-url/purl-spec) is provided for the package.
- Check that a [CPE specification](https://nvd.nist.gov/products/cpe) is provided for the package.
### Latest package version checks
The checks for the latest package version are performed for packages within the following language ecosystems:
- dart
- go
- java
- javascript
- .net
- perl
- python
- r
- ruby
- rust
- swift
### Relationships
The following checks are performed:
- Check that relationships are defined.
- Check that every file is included in at least one relationship.
- Check that every package is included in at least one relationship.
### NTIA Conformance
The following checks are performed:
- Check that the contents of the SBOM meet the minimum requirements for an SBOM as defined by the [NTIA](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf).
### Implementing a Development Policy
The use of the `--age`, `--maxage`, `--allow` and `--deny` options can be used to enforce a development policy.
A report of the checks which violate against the development policy is contained in a section within the output file.
## Example
Given the following SBOM (click.json)
```
{
"$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuided03b5fe-42a8-41ee-b68f-114aa6fcead9",
"version": 1,
"metadata": {
"timestamp": "2023-02-21T16:09:46Z",
"tools": [
{
"name": "sbom4python",
"version": "0.8.0"
}
],
"component": {
"type": "application",
"bom-ref": "CDXRef-DOCUMENT",
"name": "Python-click"
}
},
"components": [
{
"type": "library",
"bom-ref": "1-click",
"name": "click",
"version": "8.1.3",
"supplier": {
"name": "Armin Ronacher",
"contact": [
{
"email": "armin.ronacher@active-4.com"
}
]
},
"cpe": "cpe:2.3:a:armin_ronacher:click:8.1.3:*:*:*:*:*:*:*",
"description": "Composable command line interface toolkit",
"licenses": [
{
"license": {
"id": "BSD-3-Clause",
"url": "https://opensource.org/licenses/BSD-3-Clause"
}
}
],
"externalReferences": [
{
"url": "https://palletsprojects.com/p/click/",
"type": "other",
"comment": "Home page for project"
}
],
"purl": "pkg:pypi/click@8.1.3"
}
],
"dependencies": [
{
"ref": "CDXRef-DOCUMENT",
"dependsOn": [
"1-click"
]
}
]
}
```
The following command will audit the contents of the SBOM.
```bash
sbomaudit --input-file click.json
╭─────────────────────╮
│ SBOM Format Summary │
╰─────────────────────╯
[x] SBOM Format
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
[x] Package Summary
╭───────────────────────╮
│ Relationships Summary │
╰───────────────────────╯
[x] Relationship Summary
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
[x] NTIA Summary
╭────────────────────╮
│ SBOM Audit Summary │
╰────────────────────╯
[x] Checks passed 11
[x] Checks failed 0
```
A verbose report and summary of the contents of the SBOM to the console.
```bash
sbomaudit --input-file click.json --verbose --cpecheck --purlcheck
╭─────────────────────╮
│ SBOM Format Summary │
╰─────────────────────╯
[x] Up to date CycloneDX Version
[x] SBOM Creator identified
[x] SBOM Creation time defined
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
[x] Supplier included for package click
[x] Version included for package click
[x] License included for package click
[x] SPDX Compatible License id included for package click
[x] OSI Approved license for click
[x] Non-deprecated license for click
[x] Using latest version of package click
[x] Using mature version of package click
[x] Using old version of package click
[x] CPE name included for package click
[x] PURL included for package click
[x] PURL name compatible with package click
[x] NTIA compliant
╭───────────────────────╮
│ Relationships Summary │
╰───────────────────────╯
[x] Dependency relationships provided for NTIA compliance
[x] Dependency relationship found for click
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
[x] NTIA conformant
╭────────────────────╮
│ SBOM Audit Summary │
╰────────────────────╯
[x] Checks passed 19
[x] Checks failed 0
```
The following is an example of the output which is generated
when some checks on the contents of the SBOM fail.
```bash
╭─────────────────────╮
│ SBOM Format Summary │
╰─────────────────────╯
[x] SBOM Format
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
[ ] Using latest version of package black: Version is 22.12.0; latest is 23.1.0
[ ] Using latest version of package mypy-extensions: Version is 0.4.3; latest is 1.0.0
[ ] SPDX Compatible License id included for package pathspec: MPL 2.0
[ ] Using latest version of package pathspec: Version is 0.10.3; latest is 0.11.0
[ ] License included for package platformdirs: MISSING
[ ] SPDX Compatible License id included for package platformdirs: NOASSERTION
[ ] Using latest version of package platformdirs: Version is 2.6.2; latest is 3.0.0
[ ] CPE name included for package platformdirs: MISSING
[ ] License included for package tomli: MISSING
[ ] SPDX Compatible License id included for package tomli: NOASSERTION
[ ] NTIA compliant : FAILED
╭───────────────────────╮
│ Relationships Summary │
╰───────────────────────╯
[x] Relationship Summary
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
[ ] NTIA conformant : FAILED
╭────────────────────╮
│ SBOM Audit Summary │
╰────────────────────╯
[x] Checks passed 42
[x] Checks failed 12
```
## Output File Format
The output file is in JSON format. The content depends on the contents of the SBOM and the specified command line options.
```bash
sbomaudit --input-file click.json --verbose --output-file click_analysis.json
```
As the `--verbose` option is specified, the resulting JSON file contains the results of all the checks which have been performed.
```json
{
"metadata": [
{
"text": "Up to date SPDX Version",
"state": "Pass"
},
{
"text": "SBOM Creator identified",
"state": "Pass"
},
{
"text": "SBOM Creation time defined",
"state": "Pass"
}
],
"packages": [
{
"name": "click",
"version": "8.0.3",
"reports": [
{
"text": "Supplier included for package click",
"state": "Pass"
},
{
"text": "Version included for package click",
"state": "Pass"
},
{
"text": "License included for package click",
"state": "Pass"
},
{
"text": "SPDX Compatible License id included for package click",
"state": "Pass"
},
{
"text": "OSI Approved license for click",
"state": "Pass"
},
{
"text": "Non-deprecated license for click",
"state": "Pass"
},
{
"text": "Using latest version of package click: Version is 8.0.3; latest is 8.1.7",
"state": "Fail"
}
]
}
],
"policy": [
{
"text": "Using mature version of package click",
"state": "Pass"
},
{
"text": "Using old version of package click: Age of release is 928 days",
"state": "Fail"
}
],
"relationships": [
{
"text": "Dependency relationships provided for NTIA compliance",
"state": "Pass"
},
{
"text": "Dependency relationship found for click",
"state": "Pass"
}
],
"summary": [
{
"text": "NTIA conformant",
"state": "Pass"
},
{
"text": "Checks passed 13",
"state": "Pass"
},
{
"text": "Checks failed 1",
"state": "Pass"
},
{
"text": "Policy checks passed 1",
"state": "Pass"
},
{
"text": "Policy checks failed 1",
"state": "Pass"
}
]
}
```
## Return Values
The following values are returned:
- -1 indicates SBOM file not specified
- 0 indicates NTIA compliance has failed
- 1 indicates NTIA compliance has passed
## License
Licensed under the Apache 2.0 License.
## Limitations
The tool has the following limitations:
- The latest version checks are only performed in an environment where access to external systems is available.
- Invalid SBOMs will result in unpredictable results.
## Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Raw data
{
"_id": null,
"home_page": "https://github.com/anthonyharrison/sbomaudit",
"name": "sbomaudit",
"maintainer": "Anthony Harrison",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "anthony.p.harrison@gmail.com",
"keywords": "audit, quality, tools, SBOM, DevSecOps, SPDX, CycloneDX",
"author": "Anthony Harrison",
"author_email": "anthony.p.harrison@gmail.com",
"download_url": null,
"platform": null,
"description": "# SBOMAUDIT\n\nSBOMAUDIT reports on the quality of the contents of an SBOM (Software Bill of Materials) by performing a number of checks. SBOMs are supported in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbomaudit`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```\nusage: sbomaudit [-h] [-i INPUT_FILE] [--offline] [--cpecheck] [--purlcheck] [--disable-license-check] [--age AGE] [--maxage MAXAGE] [--allow ALLOW] [--deny DENY] [--verbose] [--debug] [-o OUTPUT_FILE] [-V]\n\nSBOMAudit reports on the quality of the contents of a SBOM.\n\noptions:\n -h, --help show this help message and exit\n -V, --version show program's version number and exit\n\nInput:\n -i INPUT_FILE, --input-file INPUT_FILE\n Name of SBOM file\n --offline operate in offline mode\n --cpecheck check for CPE specification\n --purlcheck check for PURL specification\n --disable-license-check\n disable check for SPDX License identifier\n --age AGE minimum age of package (as integer representing days) to report (default: 0)\n --maxage MAXAGE maximum age of package (as integer representing years) to report (default: 2)\n --allow ALLOW Name of allow list file\n --deny DENY Name of deny list file\n --verbose verbose reporting\n\nOutput:\n --debug add debug information\n -o OUTPUT_FILE, --output-file OUTPUT_FILE\n output filename (default: output to stdout)\n```\n\t\t\t\t\t\n## Operation\n\nThe `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to\nthe following filename conventions.\n\n| SBOM | Format | Filename extension |\n| --------- |----------|--------------------|\n| SPDX | TagValue | .spdx |\n| SPDX | JSON | .spdx.json |\n| SPDX | YAML | .spdx.yaml |\n| SPDX | YAML | .spdx.yml |\n| CycloneDX | JSON | .json |\n| CycloneDX | XML | .xml |\n\nThe `--offline` option is used when the tool is used in an environment where access to external systems is not available. This means\nthat some audit checks are not performed.\n\nThe `--cpecheck` and `--purlcheck` options are used to enable additional checks related to a SBOM component.\n\nThe `--disable-license-check` option is used to disable the check that the licenses have valid [SPDX License identifiers](https://spdx.org/licenses/).\n\nThe `--age` option can be used to report if a recent release of a package is being used.\n\nThe `--maxage` option can be used to report if the release date of a package, which is not the latest version, is greater than the value specified. The default value is 2 years.\n\nThe `--allow` and `--deny` options are used to specify additional checks related to licenses and packages which are to be allowed or denied within a SBOM component.\nAn **_allow_** file contains the set of licenses and packages which to be contained within the SBOM; this may be useful to ensure that the SBOM does not contain any\nunapproved licenses or packages not identified in a software design. A **_deny_** file is used to specify the licenses and packages which must not be contained within the SBOM.\n\nThe `--verbose` option can be used to report the results of all the checks performed; the default is just report failed checks and summaries.\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\n### Allow and Deny list file formats\n\nThe files are text files consisting of two sections\n\n- List of SPDX license identifiers\n- Lst of Package names\n\nEach section is optional.\n\nThese files can be used to enforce a development policy e.g. use the deny list to report on licences which are not approved.\n\nIn this sample allow file, this would only allow cemponents with the MIT, Apache-2.0 or BSD-3-Clause licenses.\nIt is also only expecting a single package 'click'.\n\n```bash\n# This is an example ALLOW list file for SBOMAUDIT\n# Allowed licenses\n[license]\nMIT\nApache-2.0\nBSD-3-Clause\n# Allowed packages \n[package] \nclick \n```\n\n## Checks Performed\n\nThe following section identifies the checks which are performed.\n\n### SBOM Format\n\nThe following checks are performed:\n\n- Check that the version of the SBOM is either version 2.2 or 2.3 (SPDX) or version 1.3, 1.4, 1.5 or 1.6 (CycloneDX).\n\n- Check that a creator is defined.\n\n- Check that the time that the SBOM is created is defined.\n\n### Files\n\nThe following checks are performed for each file item:\n\n- Check that a file name is specified.\n\n- Check that the file type is specified.\n\n- Check that a license is specified and that the license identified is a valid [SPDX License identifier](https://spdx.org/licenses/). Note that NOASSERTION is not considered a valid license.\n\n- Check that the license is an [OSI Approved](https://opensource.org/licenses/) license.\n\n- Optionally check that the license is allowed as specified in the ALLOW list\n\n- Optionally check that the license is not included in the licenses specified in the DENY list\n\n- Check that a copyright statement is specified. Note that NOASSERTION is not considered a valid copyright statement.\n\n### Packages\n\nThe following checks are performed on each package item:\n\n- Check that a package name is specified.\n\n- Optionally check that the package name is allowed as specified in the ALLOW list\n\n- Optionally check that the package name is not included in the packages specified in the DENY list\n\n- Check that a supplier is specified.\n\n- Check that a version is specified.\n\n- Check that the package version is the latest released version of the package. The latest version checks are only performed if the `--offline` option is not specified.\n\n- Check that a mature version of the package is being used as determined by the value specified in the `--age` option. The release date checks are only performed if the `--offline` option is not specified.\n\n- Check the age of a package being used, which is not the latest released version, is greater than the value specified in the `--maxage` option.\nThe check is only performed if the `--offline` option is not specified.\n\n- Check that a license is specified and that the license identified is a valid [SPDX License identifier](https://spdx.org/licenses/). Note that NOASSERTION is not considered a valid license.\n\n- Check that the license is an [OSI Approved](https://opensource.org/licenses/) license.\n\n- Optionally check that the license is allowed as specified in the ALLOW list\n\n- Optionally check that the license is not included in the licenses specified in the DENY list\n\n- Check that a [PURL specification](https://github.com/package-url/purl-spec) is provided for the package.\n\n- Check that a [CPE specification](https://nvd.nist.gov/products/cpe) is provided for the package.\n\n### Latest package version checks\n\nThe checks for the latest package version are performed for packages within the following language ecosystems:\n\n- dart\n- go\n- java\n- javascript\n- .net\n- perl\n- python\n- r\n- ruby\n- rust\n- swift\n\n### Relationships\n\nThe following checks are performed:\n\n- Check that relationships are defined.\n\n- Check that every file is included in at least one relationship.\n\n- Check that every package is included in at least one relationship.\n\n### NTIA Conformance\n\nThe following checks are performed:\n\n- Check that the contents of the SBOM meet the minimum requirements for an SBOM as defined by the [NTIA](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf).\n\n### Implementing a Development Policy\n\nThe use of the `--age`, `--maxage`, `--allow` and `--deny` options can be used to enforce a development policy.\n\nA report of the checks which violate against the development policy is contained in a section within the output file.\n\n## Example\n\nGiven the following SBOM (click.json)\n\n```\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"serialNumber\": \"urn:uuided03b5fe-42a8-41ee-b68f-114aa6fcead9\",\n \"version\": 1,\n \"metadata\": {\n \"timestamp\": \"2023-02-21T16:09:46Z\",\n \"tools\": [\n {\n \"name\": \"sbom4python\",\n \"version\": \"0.8.0\"\n }\n ],\n \"component\": {\n \"type\": \"application\",\n \"bom-ref\": \"CDXRef-DOCUMENT\",\n \"name\": \"Python-click\"\n }\n },\n \"components\": [\n {\n \"type\": \"library\",\n \"bom-ref\": \"1-click\",\n \"name\": \"click\",\n \"version\": \"8.1.3\",\n \"supplier\": {\n \"name\": \"Armin Ronacher\",\n \"contact\": [\n {\n \"email\": \"armin.ronacher@active-4.com\"\n }\n ]\n },\n \"cpe\": \"cpe:2.3:a:armin_ronacher:click:8.1.3:*:*:*:*:*:*:*\",\n \"description\": \"Composable command line interface toolkit\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"BSD-3-Clause\",\n \"url\": \"https://opensource.org/licenses/BSD-3-Clause\"\n }\n }\n ],\n \"externalReferences\": [\n {\n \"url\": \"https://palletsprojects.com/p/click/\",\n \"type\": \"other\",\n \"comment\": \"Home page for project\"\n }\n ],\n \"purl\": \"pkg:pypi/click@8.1.3\"\n }\n ],\n \"dependencies\": [\n {\n \"ref\": \"CDXRef-DOCUMENT\",\n \"dependsOn\": [\n \"1-click\"\n ]\n }\n ]\n}\n```\n\nThe following command will audit the contents of the SBOM.\n\n```bash\nsbomaudit --input-file click.json\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Format Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] SBOM Format\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Package Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Package Summary\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Relationships Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Relationship Summary\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 NTIA Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] NTIA Summary\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Audit Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Checks passed 11\n[x] Checks failed 0 \n```\n\nA verbose report and summary of the contents of the SBOM to the console.\n\n```bash\nsbomaudit --input-file click.json --verbose --cpecheck --purlcheck\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Format Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Up to date CycloneDX Version\n[x] SBOM Creator identified\n[x] SBOM Creation time defined\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Package Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Supplier included for package click\n[x] Version included for package click\n[x] License included for package click\n[x] SPDX Compatible License id included for package click\n[x] OSI Approved license for click\n[x] Non-deprecated license for click\n[x] Using latest version of package click\n[x] Using mature version of package click\n[x] Using old version of package click\n[x] CPE name included for package click\n[x] PURL included for package click\n[x] PURL name compatible with package click\n[x] NTIA compliant\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Relationships Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Dependency relationships provided for NTIA compliance\n[x] Dependency relationship found for click\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 NTIA Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] NTIA conformant\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Audit Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Checks passed 19\n[x] Checks failed 0\n```\n\nThe following is an example of the output which is generated\nwhen some checks on the contents of the SBOM fail.\n\n```bash\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Format Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] SBOM Format\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Package Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[ ] Using latest version of package black: Version is 22.12.0; latest is 23.1.0\n[ ] Using latest version of package mypy-extensions: Version is 0.4.3; latest is 1.0.0\n[ ] SPDX Compatible License id included for package pathspec: MPL 2.0\n[ ] Using latest version of package pathspec: Version is 0.10.3; latest is 0.11.0\n[ ] License included for package platformdirs: MISSING\n[ ] SPDX Compatible License id included for package platformdirs: NOASSERTION\n[ ] Using latest version of package platformdirs: Version is 2.6.2; latest is 3.0.0\n[ ] CPE name included for package platformdirs: MISSING\n[ ] License included for package tomli: MISSING\n[ ] SPDX Compatible License id included for package tomli: NOASSERTION\n[ ] NTIA compliant : FAILED\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Relationships Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Relationship Summary\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 NTIA Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[ ] NTIA conformant : FAILED\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Audit Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Checks passed 42\n[x] Checks failed 12 \n```\n\n## Output File Format\n\nThe output file is in JSON format. The content depends on the contents of the SBOM and the specified command line options.\n\n```bash\nsbomaudit --input-file click.json --verbose --output-file click_analysis.json\n```\n\nAs the `--verbose` option is specified, the resulting JSON file contains the results of all the checks which have been performed.\n\n```json\n{\n \"metadata\": [\n {\n \"text\": \"Up to date SPDX Version\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"SBOM Creator identified\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"SBOM Creation time defined\",\n \"state\": \"Pass\"\n }\n ],\n \"packages\": [\n {\n \"name\": \"click\",\n \"version\": \"8.0.3\",\n \"reports\": [\n {\n \"text\": \"Supplier included for package click\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"Version included for package click\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"License included for package click\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"SPDX Compatible License id included for package click\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"OSI Approved license for click\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"Non-deprecated license for click\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"Using latest version of package click: Version is 8.0.3; latest is 8.1.7\",\n \"state\": \"Fail\"\n }\n ]\n }\n ],\n \"policy\": [\n {\n \"text\": \"Using mature version of package click\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"Using old version of package click: Age of release is 928 days\",\n \"state\": \"Fail\"\n }\n ],\n \"relationships\": [\n {\n \"text\": \"Dependency relationships provided for NTIA compliance\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"Dependency relationship found for click\",\n \"state\": \"Pass\"\n }\n ],\n \"summary\": [\n {\n \"text\": \"NTIA conformant\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"Checks passed 13\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"Checks failed 1\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"Policy checks passed 1\",\n \"state\": \"Pass\"\n },\n {\n \"text\": \"Policy checks failed 1\",\n \"state\": \"Pass\"\n }\n ]\n}\n```\n\n## Return Values\n\nThe following values are returned:\n\n- -1 indicates SBOM file not specified\n- 0 indicates NTIA compliance has failed\n- 1 indicates NTIA compliance has passed\n\n## License\n\nLicensed under the Apache 2.0 License.\n\n## Limitations\n\nThe tool has the following limitations:\n\n- The latest version checks are only performed in an environment where access to external systems is available.\n\n- Invalid SBOMs will result in unpredictable results.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Audit SBOM contents",
"version": "0.4.3",
"project_urls": {
"Homepage": "https://github.com/anthonyharrison/sbomaudit"
},
"split_keywords": [
"audit",
" quality",
" tools",
" sbom",
" devsecops",
" spdx",
" cyclonedx"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "1cb7ffbd5874ff42dd817f29eb0dfbf012b9012532a5a2fdc212123b3652261a",
"md5": "e8bf387ad111362088daa6eb20987b51",
"sha256": "64d7d52ac1414114732871ad675ff021de30c3364d4f8c36105b4d7d01956ed2"
},
"downloads": -1,
"filename": "sbomaudit-0.4.3-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "e8bf387ad111362088daa6eb20987b51",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": ">=3.7",
"size": 16665,
"upload_time": "2024-07-28T11:08:22",
"upload_time_iso_8601": "2024-07-28T11:08:22.991854Z",
"url": "https://files.pythonhosted.org/packages/1c/b7/ffbd5874ff42dd817f29eb0dfbf012b9012532a5a2fdc212123b3652261a/sbomaudit-0.4.3-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-07-28 11:08:22",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "anthonyharrison",
"github_project": "sbomaudit",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "lib4sbom",
"specs": [
[
">=",
"0.7.2"
]
]
},
{
"name": "lib4package",
"specs": [
[
">=",
"0.2.0"
]
]
},
{
"name": "rich",
"specs": []
},
{
"name": "requests",
"specs": []
},
{
"name": "packageurl-python",
"specs": []
},
{
"name": "python-dateutil",
"specs": []
},
{
"name": "pytz",
"specs": []
}
],
"tox": true,
"lcname": "sbomaudit"
}