sbomaudit


Namesbomaudit JSON
Version 0.4.3 PyPI version JSON
download
home_pagehttps://github.com/anthonyharrison/sbomaudit
SummaryAudit SBOM contents
upload_time2024-07-28 11:08:22
maintainerAnthony Harrison
docs_urlNone
authorAnthony Harrison
requires_python>=3.7
licenseApache-2.0
keywords audit quality tools sbom devsecops spdx cyclonedx
VCS
bugtrack_url
requirements lib4sbom lib4package rich requests packageurl-python python-dateutil pytz
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # SBOMAUDIT

SBOMAUDIT reports on the quality of the contents of an SBOM (Software Bill of Materials) by performing a number of checks. SBOMs are supported in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).

## Installation

To install use the following command:

`pip install sbomaudit`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

## Usage

```
usage: sbomaudit [-h] [-i INPUT_FILE] [--offline] [--cpecheck] [--purlcheck] [--disable-license-check] [--age AGE] [--maxage MAXAGE] [--allow ALLOW] [--deny DENY] [--verbose] [--debug] [-o OUTPUT_FILE] [-V]

SBOMAudit reports on the quality of the contents of a SBOM.

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -i INPUT_FILE, --input-file INPUT_FILE
                        Name of SBOM file
  --offline             operate in offline mode
  --cpecheck            check for CPE specification
  --purlcheck           check for PURL specification
  --disable-license-check
                        disable check for SPDX License identifier
  --age AGE             minimum age of package (as integer representing days) to report (default: 0)
  --maxage MAXAGE       maximum age of package (as integer representing years) to report (default: 2)
  --allow ALLOW         Name of allow list file
  --deny DENY           Name of deny list file
  --verbose             verbose reporting

Output:
  --debug               add debug information
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)
```
					
## Operation

The `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to
the following filename conventions.

| SBOM      | Format   | Filename extension |
| --------- |----------|--------------------|
| SPDX      | TagValue | .spdx              |
| SPDX      | JSON     | .spdx.json         |
| SPDX      | YAML     | .spdx.yaml         |
| SPDX      | YAML     | .spdx.yml          |
| CycloneDX | JSON     | .json              |
| CycloneDX | XML      | .xml               |

The `--offline` option is used when the tool is used in an environment where access to external systems is not available. This means
that some audit checks are not performed.

The `--cpecheck` and `--purlcheck` options are used to enable additional checks related to a SBOM component.

The `--disable-license-check` option is used to disable the check that the licenses have valid [SPDX License identifiers](https://spdx.org/licenses/).

The `--age` option can be used to report if a recent release of a package is being used.

The `--maxage` option can be used to report if the release date of a package, which is not the latest version, is greater than the value specified. The default value is 2 years.

The `--allow` and `--deny` options are used to specify additional checks related to licenses and packages which are to be allowed or denied within a SBOM component.
An **_allow_** file contains the set of licenses and packages which to be contained within the SBOM; this may be useful to ensure that the SBOM does not contain any
unapproved licenses or packages not identified in a software design. A **_deny_** file is used to specify the licenses and packages which must not be contained within the SBOM.

The `--verbose` option can be used to report the results of all the checks performed; the default is just report failed checks and summaries.

The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).

### Allow and Deny list file formats

The files are text files consisting of two sections

- List of SPDX license identifiers
- Lst of Package names

Each section is optional.

These files can be used to enforce a development policy e.g. use the deny list to report on licences which are not approved.

In this sample allow file, this would only allow cemponents with the MIT, Apache-2.0 or BSD-3-Clause licenses.
It is also only expecting a single package 'click'.

```bash
# This is an example ALLOW list file for SBOMAUDIT
# Allowed licenses
[license]
MIT
Apache-2.0
BSD-3-Clause
# Allowed packages 
[package] 
click                                                           
```

## Checks Performed

The following section identifies the checks which are performed.

### SBOM Format

The following checks are performed:

- Check that the version of the SBOM is either version 2.2 or 2.3 (SPDX) or version 1.3, 1.4, 1.5 or 1.6 (CycloneDX).

- Check that a creator is defined.

- Check that the time that the SBOM is created is defined.

### Files

The following checks are performed for each file item:

- Check that a file name is specified.

- Check that the file type is specified.

- Check that a license is specified and that the license identified is a valid [SPDX License identifier](https://spdx.org/licenses/). Note that NOASSERTION is not considered a valid license.

- Check that the license is an [OSI Approved](https://opensource.org/licenses/) license.

- Optionally check that the license is allowed as specified in the ALLOW list

- Optionally check that the license is not included in the licenses specified in the DENY list

- Check that a copyright statement is specified. Note that NOASSERTION is not considered a valid copyright statement.

### Packages

The following checks are performed on each package item:

- Check that a package name is specified.

- Optionally check that the package name is allowed as specified in the ALLOW list

- Optionally check that the package name is not included in the packages specified in the DENY list

- Check that a supplier is specified.

- Check that a version is specified.

- Check that the package version is the latest released version of the package. The latest version checks are only performed if the `--offline` option is not specified.

- Check that a mature version of the package is being used as determined by the value specified in the `--age` option. The release date checks are only performed if the `--offline` option is not specified.

- Check the age of a package being used, which is not the latest released version, is greater than the value specified in the `--maxage` option.
The check is only performed if the `--offline` option is not specified.

- Check that a license is specified and that the license identified is a valid [SPDX License identifier](https://spdx.org/licenses/). Note that NOASSERTION is not considered a valid license.

- Check that the license is an [OSI Approved](https://opensource.org/licenses/) license.

- Optionally check that the license is allowed as specified in the ALLOW list

- Optionally check that the license is not included in the licenses specified in the DENY list

- Check that a [PURL specification](https://github.com/package-url/purl-spec) is provided for the package.

- Check that a [CPE specification](https://nvd.nist.gov/products/cpe) is provided for the package.

### Latest package version checks

The checks for the latest package version are performed for packages within the following language ecosystems:

- dart
- go
- java
- javascript
- .net
- perl
- python
- r
- ruby
- rust
- swift

### Relationships

The following checks are performed:

- Check that relationships are defined.

- Check that every file is included in at least one relationship.

- Check that every package is included in at least one relationship.

### NTIA Conformance

The following checks are performed:

- Check that the contents of the SBOM meet the minimum requirements for an SBOM as defined by the [NTIA](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf).

### Implementing a Development Policy

The use of the `--age`, `--maxage`, `--allow` and `--deny` options can be used to enforce a development policy.

A report of the checks which violate against the development policy is contained in a section within the output file.

## Example

Given the following SBOM (click.json)

```
{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuided03b5fe-42a8-41ee-b68f-114aa6fcead9",
  "version": 1,
  "metadata": {
    "timestamp": "2023-02-21T16:09:46Z",
    "tools": [
      {
        "name": "sbom4python",
        "version": "0.8.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "CDXRef-DOCUMENT",
      "name": "Python-click"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "1-click",
      "name": "click",
      "version": "8.1.3",
      "supplier": {
        "name": "Armin Ronacher",
        "contact": [
          {
            "email": "armin.ronacher@active-4.com"
          }
        ]
      },
      "cpe": "cpe:2.3:a:armin_ronacher:click:8.1.3:*:*:*:*:*:*:*",
      "description": "Composable command line interface toolkit",
      "licenses": [
        {
          "license": {
            "id": "BSD-3-Clause",
            "url": "https://opensource.org/licenses/BSD-3-Clause"
          }
        }
      ],
      "externalReferences": [
        {
          "url": "https://palletsprojects.com/p/click/",
          "type": "other",
          "comment": "Home page for project"
        }
      ],
      "purl": "pkg:pypi/click@8.1.3"
    }
  ],
  "dependencies": [
    {
      "ref": "CDXRef-DOCUMENT",
      "dependsOn": [
        "1-click"
      ]
    }
  ]
}
```

The following command will audit the contents of the SBOM.

```bash
sbomaudit --input-file click.json
╭─────────────────────╮
│ SBOM Format Summary │
╰─────────────────────╯
[x] SBOM Format
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
[x] Package Summary
╭───────────────────────╮
│ Relationships Summary │
╰───────────────────────╯
[x] Relationship Summary
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
[x] NTIA Summary
╭────────────────────╮
│ SBOM Audit Summary │
╰────────────────────╯
[x] Checks passed 11
[x] Checks failed 0                                                              
```

A verbose report and summary of the contents of the SBOM to the console.

```bash
sbomaudit --input-file click.json --verbose --cpecheck --purlcheck
╭─────────────────────╮
│ SBOM Format Summary │
╰─────────────────────╯
[x] Up to date CycloneDX Version
[x] SBOM Creator identified
[x] SBOM Creation time defined
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
[x] Supplier included for package click
[x] Version included for package click
[x] License included for package click
[x] SPDX Compatible License id included for package click
[x] OSI Approved license for click
[x] Non-deprecated license for click
[x] Using latest version of package click
[x] Using mature version of package click
[x] Using old version of package click
[x] CPE name included for package click
[x] PURL included for package click
[x] PURL name compatible with package click
[x] NTIA compliant
╭───────────────────────╮
│ Relationships Summary │
╰───────────────────────╯
[x] Dependency relationships provided for NTIA compliance
[x] Dependency relationship found for click
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
[x] NTIA conformant
╭────────────────────╮
│ SBOM Audit Summary │
╰────────────────────╯
[x] Checks passed 19
[x] Checks failed 0
```

The following is an example of the output which is generated
when some checks on the contents of the SBOM fail.

```bash
╭─────────────────────╮
│ SBOM Format Summary │
╰─────────────────────╯
[x] SBOM Format
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
[ ] Using latest version of package black: Version is 22.12.0; latest is 23.1.0
[ ] Using latest version of package mypy-extensions: Version is 0.4.3; latest is 1.0.0
[ ] SPDX Compatible License id included for package pathspec: MPL 2.0
[ ] Using latest version of package pathspec: Version is 0.10.3; latest is 0.11.0
[ ] License included for package platformdirs: MISSING
[ ] SPDX Compatible License id included for package platformdirs: NOASSERTION
[ ] Using latest version of package platformdirs: Version is 2.6.2; latest is 3.0.0
[ ] CPE name included for package platformdirs: MISSING
[ ] License included for package tomli: MISSING
[ ] SPDX Compatible License id included for package tomli: NOASSERTION
[ ] NTIA compliant : FAILED
╭───────────────────────╮
│ Relationships Summary │
╰───────────────────────╯
[x] Relationship Summary
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
[ ] NTIA conformant : FAILED
╭────────────────────╮
│ SBOM Audit Summary │
╰────────────────────╯
[x] Checks passed 42
[x] Checks failed 12                                                   
```

## Output File Format

The output file is in JSON format. The content depends on the contents of the SBOM and the specified command line options.

```bash
sbomaudit --input-file click.json --verbose --output-file click_analysis.json
```

As the `--verbose` option is specified, the resulting JSON file contains the results of all the checks which have been performed.

```json
{
  "metadata": [
    {
      "text": "Up to date SPDX Version",
      "state": "Pass"
    },
    {
      "text": "SBOM Creator identified",
      "state": "Pass"
    },
    {
      "text": "SBOM Creation time defined",
      "state": "Pass"
    }
  ],
  "packages": [
    {
      "name": "click",
      "version": "8.0.3",
      "reports": [
        {
          "text": "Supplier included for package click",
          "state": "Pass"
        },
        {
          "text": "Version included for package click",
          "state": "Pass"
        },
        {
          "text": "License included for package click",
          "state": "Pass"
        },
        {
          "text": "SPDX Compatible License id included for package click",
          "state": "Pass"
        },
        {
          "text": "OSI Approved license for click",
          "state": "Pass"
        },
        {
          "text": "Non-deprecated license for click",
          "state": "Pass"
        },
        {
          "text": "Using latest version of package click: Version is 8.0.3; latest is 8.1.7",
          "state": "Fail"
        }
      ]
    }
  ],
  "policy": [
    {
      "text": "Using mature version of package click",
      "state": "Pass"
    },
    {
      "text": "Using old version of package click: Age of release is 928 days",
      "state": "Fail"
    }
  ],
  "relationships": [
    {
      "text": "Dependency relationships provided for NTIA compliance",
      "state": "Pass"
    },
    {
      "text": "Dependency relationship found for click",
      "state": "Pass"
    }
  ],
  "summary": [
    {
      "text": "NTIA conformant",
      "state": "Pass"
    },
    {
      "text": "Checks passed 13",
      "state": "Pass"
    },
    {
      "text": "Checks failed 1",
      "state": "Pass"
    },
    {
      "text": "Policy checks passed 1",
      "state": "Pass"
    },
    {
      "text": "Policy checks failed 1",
      "state": "Pass"
    }
  ]
}
```

## Return Values

The following values are returned:

- -1 indicates SBOM file not specified
- 0 indicates NTIA compliance has failed
- 1 indicates NTIA compliance has passed

## License

Licensed under the Apache 2.0 License.

## Limitations

The tool has the following limitations:

- The latest version checks are only performed in an environment where access to external systems is available.

- Invalid SBOMs will result in unpredictable results.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/anthonyharrison/sbomaudit",
    "name": "sbomaudit",
    "maintainer": "Anthony Harrison",
    "docs_url": null,
    "requires_python": ">=3.7",
    "maintainer_email": "anthony.p.harrison@gmail.com",
    "keywords": "audit, quality, tools, SBOM, DevSecOps, SPDX, CycloneDX",
    "author": "Anthony Harrison",
    "author_email": "anthony.p.harrison@gmail.com",
    "download_url": null,
    "platform": null,
    "description": "# SBOMAUDIT\n\nSBOMAUDIT reports on the quality of the contents of an SBOM (Software Bill of Materials) by performing a number of checks. SBOMs are supported in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbomaudit`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```\nusage: sbomaudit [-h] [-i INPUT_FILE] [--offline] [--cpecheck] [--purlcheck] [--disable-license-check] [--age AGE] [--maxage MAXAGE] [--allow ALLOW] [--deny DENY] [--verbose] [--debug] [-o OUTPUT_FILE] [-V]\n\nSBOMAudit reports on the quality of the contents of a SBOM.\n\noptions:\n  -h, --help            show this help message and exit\n  -V, --version         show program's version number and exit\n\nInput:\n  -i INPUT_FILE, --input-file INPUT_FILE\n                        Name of SBOM file\n  --offline             operate in offline mode\n  --cpecheck            check for CPE specification\n  --purlcheck           check for PURL specification\n  --disable-license-check\n                        disable check for SPDX License identifier\n  --age AGE             minimum age of package (as integer representing days) to report (default: 0)\n  --maxage MAXAGE       maximum age of package (as integer representing years) to report (default: 2)\n  --allow ALLOW         Name of allow list file\n  --deny DENY           Name of deny list file\n  --verbose             verbose reporting\n\nOutput:\n  --debug               add debug information\n  -o OUTPUT_FILE, --output-file OUTPUT_FILE\n                        output filename (default: output to stdout)\n```\n\t\t\t\t\t\n## Operation\n\nThe `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to\nthe following filename conventions.\n\n| SBOM      | Format   | Filename extension |\n| --------- |----------|--------------------|\n| SPDX      | TagValue | .spdx              |\n| SPDX      | JSON     | .spdx.json         |\n| SPDX      | YAML     | .spdx.yaml         |\n| SPDX      | YAML     | .spdx.yml          |\n| CycloneDX | JSON     | .json              |\n| CycloneDX | XML      | .xml               |\n\nThe `--offline` option is used when the tool is used in an environment where access to external systems is not available. This means\nthat some audit checks are not performed.\n\nThe `--cpecheck` and `--purlcheck` options are used to enable additional checks related to a SBOM component.\n\nThe `--disable-license-check` option is used to disable the check that the licenses have valid [SPDX License identifiers](https://spdx.org/licenses/).\n\nThe `--age` option can be used to report if a recent release of a package is being used.\n\nThe `--maxage` option can be used to report if the release date of a package, which is not the latest version, is greater than the value specified. The default value is 2 years.\n\nThe `--allow` and `--deny` options are used to specify additional checks related to licenses and packages which are to be allowed or denied within a SBOM component.\nAn **_allow_** file contains the set of licenses and packages which to be contained within the SBOM; this may be useful to ensure that the SBOM does not contain any\nunapproved licenses or packages not identified in a software design. A **_deny_** file is used to specify the licenses and packages which must not be contained within the SBOM.\n\nThe `--verbose` option can be used to report the results of all the checks performed; the default is just report failed checks and summaries.\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\n### Allow and Deny list file formats\n\nThe files are text files consisting of two sections\n\n- List of SPDX license identifiers\n- Lst of Package names\n\nEach section is optional.\n\nThese files can be used to enforce a development policy e.g. use the deny list to report on licences which are not approved.\n\nIn this sample allow file, this would only allow cemponents with the MIT, Apache-2.0 or BSD-3-Clause licenses.\nIt is also only expecting a single package 'click'.\n\n```bash\n# This is an example ALLOW list file for SBOMAUDIT\n# Allowed licenses\n[license]\nMIT\nApache-2.0\nBSD-3-Clause\n# Allowed packages \n[package] \nclick                                                           \n```\n\n## Checks Performed\n\nThe following section identifies the checks which are performed.\n\n### SBOM Format\n\nThe following checks are performed:\n\n- Check that the version of the SBOM is either version 2.2 or 2.3 (SPDX) or version 1.3, 1.4, 1.5 or 1.6 (CycloneDX).\n\n- Check that a creator is defined.\n\n- Check that the time that the SBOM is created is defined.\n\n### Files\n\nThe following checks are performed for each file item:\n\n- Check that a file name is specified.\n\n- Check that the file type is specified.\n\n- Check that a license is specified and that the license identified is a valid [SPDX License identifier](https://spdx.org/licenses/). Note that NOASSERTION is not considered a valid license.\n\n- Check that the license is an [OSI Approved](https://opensource.org/licenses/) license.\n\n- Optionally check that the license is allowed as specified in the ALLOW list\n\n- Optionally check that the license is not included in the licenses specified in the DENY list\n\n- Check that a copyright statement is specified. Note that NOASSERTION is not considered a valid copyright statement.\n\n### Packages\n\nThe following checks are performed on each package item:\n\n- Check that a package name is specified.\n\n- Optionally check that the package name is allowed as specified in the ALLOW list\n\n- Optionally check that the package name is not included in the packages specified in the DENY list\n\n- Check that a supplier is specified.\n\n- Check that a version is specified.\n\n- Check that the package version is the latest released version of the package. The latest version checks are only performed if the `--offline` option is not specified.\n\n- Check that a mature version of the package is being used as determined by the value specified in the `--age` option. The release date checks are only performed if the `--offline` option is not specified.\n\n- Check the age of a package being used, which is not the latest released version, is greater than the value specified in the `--maxage` option.\nThe check is only performed if the `--offline` option is not specified.\n\n- Check that a license is specified and that the license identified is a valid [SPDX License identifier](https://spdx.org/licenses/). Note that NOASSERTION is not considered a valid license.\n\n- Check that the license is an [OSI Approved](https://opensource.org/licenses/) license.\n\n- Optionally check that the license is allowed as specified in the ALLOW list\n\n- Optionally check that the license is not included in the licenses specified in the DENY list\n\n- Check that a [PURL specification](https://github.com/package-url/purl-spec) is provided for the package.\n\n- Check that a [CPE specification](https://nvd.nist.gov/products/cpe) is provided for the package.\n\n### Latest package version checks\n\nThe checks for the latest package version are performed for packages within the following language ecosystems:\n\n- dart\n- go\n- java\n- javascript\n- .net\n- perl\n- python\n- r\n- ruby\n- rust\n- swift\n\n### Relationships\n\nThe following checks are performed:\n\n- Check that relationships are defined.\n\n- Check that every file is included in at least one relationship.\n\n- Check that every package is included in at least one relationship.\n\n### NTIA Conformance\n\nThe following checks are performed:\n\n- Check that the contents of the SBOM meet the minimum requirements for an SBOM as defined by the [NTIA](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf).\n\n### Implementing a Development Policy\n\nThe use of the `--age`, `--maxage`, `--allow` and `--deny` options can be used to enforce a development policy.\n\nA report of the checks which violate against the development policy is contained in a section within the output file.\n\n## Example\n\nGiven the following SBOM (click.json)\n\n```\n{\n  \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n  \"bomFormat\": \"CycloneDX\",\n  \"specVersion\": \"1.4\",\n  \"serialNumber\": \"urn:uuided03b5fe-42a8-41ee-b68f-114aa6fcead9\",\n  \"version\": 1,\n  \"metadata\": {\n    \"timestamp\": \"2023-02-21T16:09:46Z\",\n    \"tools\": [\n      {\n        \"name\": \"sbom4python\",\n        \"version\": \"0.8.0\"\n      }\n    ],\n    \"component\": {\n      \"type\": \"application\",\n      \"bom-ref\": \"CDXRef-DOCUMENT\",\n      \"name\": \"Python-click\"\n    }\n  },\n  \"components\": [\n    {\n      \"type\": \"library\",\n      \"bom-ref\": \"1-click\",\n      \"name\": \"click\",\n      \"version\": \"8.1.3\",\n      \"supplier\": {\n        \"name\": \"Armin Ronacher\",\n        \"contact\": [\n          {\n            \"email\": \"armin.ronacher@active-4.com\"\n          }\n        ]\n      },\n      \"cpe\": \"cpe:2.3:a:armin_ronacher:click:8.1.3:*:*:*:*:*:*:*\",\n      \"description\": \"Composable command line interface toolkit\",\n      \"licenses\": [\n        {\n          \"license\": {\n            \"id\": \"BSD-3-Clause\",\n            \"url\": \"https://opensource.org/licenses/BSD-3-Clause\"\n          }\n        }\n      ],\n      \"externalReferences\": [\n        {\n          \"url\": \"https://palletsprojects.com/p/click/\",\n          \"type\": \"other\",\n          \"comment\": \"Home page for project\"\n        }\n      ],\n      \"purl\": \"pkg:pypi/click@8.1.3\"\n    }\n  ],\n  \"dependencies\": [\n    {\n      \"ref\": \"CDXRef-DOCUMENT\",\n      \"dependsOn\": [\n        \"1-click\"\n      ]\n    }\n  ]\n}\n```\n\nThe following command will audit the contents of the SBOM.\n\n```bash\nsbomaudit --input-file click.json\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Format Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] SBOM Format\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Package Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Package Summary\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Relationships Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Relationship Summary\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 NTIA Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] NTIA Summary\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Audit Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Checks passed 11\n[x] Checks failed 0                                                              \n```\n\nA verbose report and summary of the contents of the SBOM to the console.\n\n```bash\nsbomaudit --input-file click.json --verbose --cpecheck --purlcheck\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Format Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Up to date CycloneDX Version\n[x] SBOM Creator identified\n[x] SBOM Creation time defined\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Package Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Supplier included for package click\n[x] Version included for package click\n[x] License included for package click\n[x] SPDX Compatible License id included for package click\n[x] OSI Approved license for click\n[x] Non-deprecated license for click\n[x] Using latest version of package click\n[x] Using mature version of package click\n[x] Using old version of package click\n[x] CPE name included for package click\n[x] PURL included for package click\n[x] PURL name compatible with package click\n[x] NTIA compliant\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Relationships Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Dependency relationships provided for NTIA compliance\n[x] Dependency relationship found for click\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 NTIA Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] NTIA conformant\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Audit Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Checks passed 19\n[x] Checks failed 0\n```\n\nThe following is an example of the output which is generated\nwhen some checks on the contents of the SBOM fail.\n\n```bash\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Format Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] SBOM Format\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Package Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[ ] Using latest version of package black: Version is 22.12.0; latest is 23.1.0\n[ ] Using latest version of package mypy-extensions: Version is 0.4.3; latest is 1.0.0\n[ ] SPDX Compatible License id included for package pathspec: MPL 2.0\n[ ] Using latest version of package pathspec: Version is 0.10.3; latest is 0.11.0\n[ ] License included for package platformdirs: MISSING\n[ ] SPDX Compatible License id included for package platformdirs: NOASSERTION\n[ ] Using latest version of package platformdirs: Version is 2.6.2; latest is 3.0.0\n[ ] CPE name included for package platformdirs: MISSING\n[ ] License included for package tomli: MISSING\n[ ] SPDX Compatible License id included for package tomli: NOASSERTION\n[ ] NTIA compliant : FAILED\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Relationships Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Relationship Summary\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 NTIA Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[ ] NTIA conformant : FAILED\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 SBOM Audit Summary \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n[x] Checks passed 42\n[x] Checks failed 12                                                   \n```\n\n## Output File Format\n\nThe output file is in JSON format. The content depends on the contents of the SBOM and the specified command line options.\n\n```bash\nsbomaudit --input-file click.json --verbose --output-file click_analysis.json\n```\n\nAs the `--verbose` option is specified, the resulting JSON file contains the results of all the checks which have been performed.\n\n```json\n{\n  \"metadata\": [\n    {\n      \"text\": \"Up to date SPDX Version\",\n      \"state\": \"Pass\"\n    },\n    {\n      \"text\": \"SBOM Creator identified\",\n      \"state\": \"Pass\"\n    },\n    {\n      \"text\": \"SBOM Creation time defined\",\n      \"state\": \"Pass\"\n    }\n  ],\n  \"packages\": [\n    {\n      \"name\": \"click\",\n      \"version\": \"8.0.3\",\n      \"reports\": [\n        {\n          \"text\": \"Supplier included for package click\",\n          \"state\": \"Pass\"\n        },\n        {\n          \"text\": \"Version included for package click\",\n          \"state\": \"Pass\"\n        },\n        {\n          \"text\": \"License included for package click\",\n          \"state\": \"Pass\"\n        },\n        {\n          \"text\": \"SPDX Compatible License id included for package click\",\n          \"state\": \"Pass\"\n        },\n        {\n          \"text\": \"OSI Approved license for click\",\n          \"state\": \"Pass\"\n        },\n        {\n          \"text\": \"Non-deprecated license for click\",\n          \"state\": \"Pass\"\n        },\n        {\n          \"text\": \"Using latest version of package click: Version is 8.0.3; latest is 8.1.7\",\n          \"state\": \"Fail\"\n        }\n      ]\n    }\n  ],\n  \"policy\": [\n    {\n      \"text\": \"Using mature version of package click\",\n      \"state\": \"Pass\"\n    },\n    {\n      \"text\": \"Using old version of package click: Age of release is 928 days\",\n      \"state\": \"Fail\"\n    }\n  ],\n  \"relationships\": [\n    {\n      \"text\": \"Dependency relationships provided for NTIA compliance\",\n      \"state\": \"Pass\"\n    },\n    {\n      \"text\": \"Dependency relationship found for click\",\n      \"state\": \"Pass\"\n    }\n  ],\n  \"summary\": [\n    {\n      \"text\": \"NTIA conformant\",\n      \"state\": \"Pass\"\n    },\n    {\n      \"text\": \"Checks passed 13\",\n      \"state\": \"Pass\"\n    },\n    {\n      \"text\": \"Checks failed 1\",\n      \"state\": \"Pass\"\n    },\n    {\n      \"text\": \"Policy checks passed 1\",\n      \"state\": \"Pass\"\n    },\n    {\n      \"text\": \"Policy checks failed 1\",\n      \"state\": \"Pass\"\n    }\n  ]\n}\n```\n\n## Return Values\n\nThe following values are returned:\n\n- -1 indicates SBOM file not specified\n- 0 indicates NTIA compliance has failed\n- 1 indicates NTIA compliance has passed\n\n## License\n\nLicensed under the Apache 2.0 License.\n\n## Limitations\n\nThe tool has the following limitations:\n\n- The latest version checks are only performed in an environment where access to external systems is available.\n\n- Invalid SBOMs will result in unpredictable results.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
    "bugtrack_url": null,
    "license": "Apache-2.0",
    "summary": "Audit SBOM contents",
    "version": "0.4.3",
    "project_urls": {
        "Homepage": "https://github.com/anthonyharrison/sbomaudit"
    },
    "split_keywords": [
        "audit",
        " quality",
        " tools",
        " sbom",
        " devsecops",
        " spdx",
        " cyclonedx"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "1cb7ffbd5874ff42dd817f29eb0dfbf012b9012532a5a2fdc212123b3652261a",
                "md5": "e8bf387ad111362088daa6eb20987b51",
                "sha256": "64d7d52ac1414114732871ad675ff021de30c3364d4f8c36105b4d7d01956ed2"
            },
            "downloads": -1,
            "filename": "sbomaudit-0.4.3-py2.py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "e8bf387ad111362088daa6eb20987b51",
            "packagetype": "bdist_wheel",
            "python_version": "py2.py3",
            "requires_python": ">=3.7",
            "size": 16665,
            "upload_time": "2024-07-28T11:08:22",
            "upload_time_iso_8601": "2024-07-28T11:08:22.991854Z",
            "url": "https://files.pythonhosted.org/packages/1c/b7/ffbd5874ff42dd817f29eb0dfbf012b9012532a5a2fdc212123b3652261a/sbomaudit-0.4.3-py2.py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-07-28 11:08:22",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "anthonyharrison",
    "github_project": "sbomaudit",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "requirements": [
        {
            "name": "lib4sbom",
            "specs": [
                [
                    ">=",
                    "0.7.2"
                ]
            ]
        },
        {
            "name": "lib4package",
            "specs": [
                [
                    ">=",
                    "0.2.0"
                ]
            ]
        },
        {
            "name": "rich",
            "specs": []
        },
        {
            "name": "requests",
            "specs": []
        },
        {
            "name": "packageurl-python",
            "specs": []
        },
        {
            "name": "python-dateutil",
            "specs": []
        },
        {
            "name": "pytz",
            "specs": []
        }
    ],
    "tox": true,
    "lcname": "sbomaudit"
}
        
Elapsed time: 0.31810s