# SBOMDEBT
SBOMDEBT reports on the technical debt of the contents of an SBOM (Software Bill of Materials) by performing a number of checks. SBOMs are supported in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
## Installation
To install use the following command:
`pip install sbomdebt`
Alternatively, just clone the repo and install dependencies using the following command:
`pip install -U -r requirements.txt`
The tool requires Python 3 (3.8+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
## Usage
```
usage: sbomdebt [-h] [-i INPUT_FILE] [--updates UPDATES] [--verbose] [--debug] [-o OUTPUT_FILE] [-V]
SBOMDebt reports on the technical debt of a SBOM.
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
-i INPUT_FILE, --input-file INPUT_FILE
name of SBOM file
--updates UPDATES minimum number of updated versions to report (default: 2)
--verbose verbose reporting
Output:
--debug add debug information
-o OUTPUT_FILE, --output-file OUTPUT_FILE
output filename (default: output to stdout)
```
## Operation
The `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to
the following filename conventions.
| SBOM | Format | Filename extension |
| --------- |----------|--------------------|
| SPDX | TagValue | .spdx |
| SPDX | JSON | .spdx.json |
| SPDX | YAML | .spdx.yaml |
| SPDX | YAML | .spdx.yml |
| CycloneDX | JSON | .json |
| CycloneDX | XML | .xml |
The `--updates` option can be used to report packages with outstanding updates. The default value is 2 updates.
The `--verbose` option can be used to report the results of all the checks performed; the default is just report failed checks and summaries.
The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).
### Package update checks
The checks for packages with outstanding updates are performed for packages within the following language ecosystems:
- dart
- go
- java
- javascript
- .net
- perl
- python
- r
- ruby
- rust
- swift
## Output File Format
The output file is in JSON format. The content depends on the contents of the SBOM and the specified command line options.
```bash
sbomdebt --input-file click.json --output-file click_analysis.json
```
```json
{
"sbom": "<....>",
"packages": [
{
"name": "click",
"current_version": "8.0.3",
"latest_version": "8.1.7",
"latest_date": "2023-08-17T17:29:10.000Z",
"updates": 9
}
],
"package_count": 1,
"debt_count": 1,
"ratio": 1.0
}
```
```bash
sbomdebt --input-file click.json --verbose --output-file click_analysis.json
```
The addition of the `--verbose` option, results in the JSON file containing details of the available updates.
```json
{
"sbom": "/root/Documents/git_repo/sbom_workbench/datastore/sbom/click.spdx",
"packages": [
{
"name": "click",
"current_version": "8.0.3",
"latest_version": "8.1.7",
"latest_date": "2023-08-17T17:29:10.000Z",
"updates": 9,
"package_updates": [
[
"8.1.7",
"2023-08-17T17:25:18.000Z"
],
[
"8.1.6",
"2023-07-18T20:00:26.000Z"
],
[
"8.1.5",
"2023-07-13T15:00:38.000Z"
],
[
"8.1.4",
"2023-07-06T18:22:05.000Z"
],
[
"8.1.3",
"2022-04-28T17:36:21.000Z"
],
[
"8.1.2",
"2022-03-31T20:50:27.000Z"
],
[
"8.1.1",
"2022-03-30T20:13:29.000Z"
],
[
"8.1.0",
"2022-03-28T17:38:54.000Z"
],
[
"8.0.4",
"2022-02-18T20:30:45.000Z"
]
]
}
],
"package_count": 1,
"debt_count": 1,
"ratio": 1.0
}
```
## Return Values
The following values are returned:
- -1 indicates SBOM file not specified
- 0 indicates debt has been calculated
## License
Licensed under the Apache 2.0 License.
## Limitations
The tool has the following limitations:
- The latest version checks are only performed in an environment where access to external systems is available.
- The latest version checks are only performed for components with a valid PURL
- Invalid SBOMs will result in unpredictable results.
## Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Raw data
{
"_id": null,
"home_page": "https://github.com/anthonyharrison/sbomdebt",
"name": "sbomdebt",
"maintainer": "Anthony Harrison",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "anthony.p.harrison@gmail.com",
"keywords": "security, tools, SBOM, DevSecOps, SPDX, CycloneDX, technical-debt",
"author": "Anthony Harrison",
"author_email": "anthony.p.harrison@gmail.com",
"download_url": null,
"platform": null,
"description": "# SBOMDEBT\n\nSBOMDEBT reports on the technical debt of the contents of an SBOM (Software Bill of Materials) by performing a number of checks. SBOMs are supported in a number of formats including\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbomdebt`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.8+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```\nusage: sbomdebt [-h] [-i INPUT_FILE] [--updates UPDATES] [--verbose] [--debug] [-o OUTPUT_FILE] [-V]\n\nSBOMDebt reports on the technical debt of a SBOM.\n\noptions:\n -h, --help show this help message and exit\n -V, --version show program's version number and exit\n\nInput:\n -i INPUT_FILE, --input-file INPUT_FILE\n name of SBOM file\n --updates UPDATES minimum number of updated versions to report (default: 2)\n --verbose verbose reporting\n\nOutput:\n --debug add debug information\n -o OUTPUT_FILE, --output-file OUTPUT_FILE\n output filename (default: output to stdout)\n\n```\n\t\t\t\t\t\n## Operation\n\nThe `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to\nthe following filename conventions.\n\n| SBOM | Format | Filename extension |\n| --------- |----------|--------------------|\n| SPDX | TagValue | .spdx |\n| SPDX | JSON | .spdx.json |\n| SPDX | YAML | .spdx.yaml |\n| SPDX | YAML | .spdx.yml |\n| CycloneDX | JSON | .json |\n| CycloneDX | XML | .xml |\n\n\nThe `--updates` option can be used to report packages with outstanding updates. The default value is 2 updates.\n\nThe `--verbose` option can be used to report the results of all the checks performed; the default is just report failed checks and summaries.\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\n### Package update checks\n\nThe checks for packages with outstanding updates are performed for packages within the following language ecosystems:\n\n- dart\n- go\n- java\n- javascript\n- .net\n- perl\n- python\n- r\n- ruby\n- rust\n- swift\n\n## Output File Format\n\nThe output file is in JSON format. The content depends on the contents of the SBOM and the specified command line options.\n\n```bash\nsbomdebt --input-file click.json --output-file click_analysis.json\n```\n\n```json\n{\n \"sbom\": \"<....>\",\n \"packages\": [\n {\n \"name\": \"click\",\n \"current_version\": \"8.0.3\",\n \"latest_version\": \"8.1.7\",\n \"latest_date\": \"2023-08-17T17:29:10.000Z\",\n \"updates\": 9\n }\n ],\n \"package_count\": 1,\n \"debt_count\": 1,\n \"ratio\": 1.0\n}\n```\n\n```bash\nsbomdebt --input-file click.json --verbose --output-file click_analysis.json\n```\n\nThe addition of the `--verbose` option, results in the JSON file containing details of the available updates.\n\n```json\n{\n \"sbom\": \"/root/Documents/git_repo/sbom_workbench/datastore/sbom/click.spdx\",\n \"packages\": [\n {\n \"name\": \"click\",\n \"current_version\": \"8.0.3\",\n \"latest_version\": \"8.1.7\",\n \"latest_date\": \"2023-08-17T17:29:10.000Z\",\n \"updates\": 9,\n \"package_updates\": [\n [\n \"8.1.7\",\n \"2023-08-17T17:25:18.000Z\"\n ],\n [\n \"8.1.6\",\n \"2023-07-18T20:00:26.000Z\"\n ],\n [\n \"8.1.5\",\n \"2023-07-13T15:00:38.000Z\"\n ],\n [\n \"8.1.4\",\n \"2023-07-06T18:22:05.000Z\"\n ],\n [\n \"8.1.3\",\n \"2022-04-28T17:36:21.000Z\"\n ],\n [\n \"8.1.2\",\n \"2022-03-31T20:50:27.000Z\"\n ],\n [\n \"8.1.1\",\n \"2022-03-30T20:13:29.000Z\"\n ],\n [\n \"8.1.0\",\n \"2022-03-28T17:38:54.000Z\"\n ],\n [\n \"8.0.4\",\n \"2022-02-18T20:30:45.000Z\"\n ]\n ]\n }\n ],\n \"package_count\": 1,\n \"debt_count\": 1,\n \"ratio\": 1.0\n}\n```\n\n## Return Values\n\nThe following values are returned:\n\n- -1 indicates SBOM file not specified\n- 0 indicates debt has been calculated\n\n## License\n\nLicensed under the Apache 2.0 License.\n\n## Limitations\n\nThe tool has the following limitations:\n\n- The latest version checks are only performed in an environment where access to external systems is available.\n\n- The latest version checks are only performed for components with a valid PURL\n\n- Invalid SBOMs will result in unpredictable results.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Determine technical debt for a SBOM",
"version": "0.1.0",
"project_urls": {
"Homepage": "https://github.com/anthonyharrison/sbomdebt"
},
"split_keywords": [
"security",
" tools",
" sbom",
" devsecops",
" spdx",
" cyclonedx",
" technical-debt"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "c0cf364edafcf65d942c2dfc0a01ff6ea48ac8b57253c4d1a8774c9a4f4ada15",
"md5": "ebc3a56a241ac1fffa4aa7a494600c6f",
"sha256": "5eb2d24b93b41b187052306fbde37eb4b852f4162047253a23976c0b8197d7ab"
},
"downloads": -1,
"filename": "sbomdebt-0.1.0-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "ebc3a56a241ac1fffa4aa7a494600c6f",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": ">=3.8",
"size": 11623,
"upload_time": "2024-07-28T17:20:53",
"upload_time_iso_8601": "2024-07-28T17:20:53.236774Z",
"url": "https://files.pythonhosted.org/packages/c0/cf/364edafcf65d942c2dfc0a01ff6ea48ac8b57253c4d1a8774c9a4f4ada15/sbomdebt-0.1.0-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-07-28 17:20:53",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "anthonyharrison",
"github_project": "sbomdebt",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "lib4sbom",
"specs": [
[
">=",
"0.7.2"
]
]
},
{
"name": "lib4package",
"specs": [
[
">=",
"0.2.0"
]
]
},
{
"name": "packageurl-python",
"specs": []
},
{
"name": "packaging",
"specs": []
}
],
"tox": true,
"lcname": "sbomdebt"
}
JSON
