[!Warning]
This repository has been deprecated, as the ability to generate an SBOM has been added to the core functionality of Mend SCA. We will not be making any changes or enhancements to this repository. Please refer to the Mend User Documentation for instructions about exporting SBOM via the User Interface. For programmatic SBOM generation, it is recommended to use the sbom_export_cli
Mend SBOM Generator
This tool generates SBOM reports in either SPDX or CycloneDX formats, for specified projects.
The tool can be executed either via CLI or as a Docker container.
Note: This tool utilizes a forked package of spdx-tools.
SBOM Generator CLI
Supported Operating Systems
- Linux (Bash): CentOS, Debian, Ubuntu, RedHat
- Windows (PowerShell): 10, 2012, 2016
Prerequisites
- Python 3.8 or later
- Mend user with admin permissions
Note:
The specified user (-u, --userKey) must be associated with a group assigned as either Organization Administrators (for generating report for all projects in the organization) or Product Administrators. For the latter,--tokenTypemust be specified (see Command-Line Arguments).
Installation
-
Install the PyPI package
ws-sbom-generatorpip install ws-sbom-generatorNote: Depending on whether the package was installed as a root user or not, you need to make sure the package installation location was added to the
$PATHenvironment variable. -
Update the creation info as needed in the resource/sbom_extra.json file:
{ "namespace": "http://CreatorWebsite/pathToSpdx/DocumentName-UUID", "org_email": "org@domain.com", "person": "First Last", "person_email": "first.last@domain.com" }
Usage
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --type $FORMAT --out $HOME/reports --extra resources/sbom_extra.jsonCommand-Line Arguments
| Parameter | Type | Required | Description |
|---|---|---|---|
| ‑h, ‑‑help | switch | No | Show help and exit |
| ‑a, ‑‑wsUrl | string | Yes | Mend server URL |
| ‑u, ‑‑userKey | string | Yes | Mend User Key |
| ‑k, ‑‑token | string | Yes | Mend API Key or Product token |
| ‑y, ‑‑tokenType | string | No* | [organization|product*] (default: organization) |
| ‑t, ‑‑type | string | No* | Report format [json|tv|rdf|xml|yaml|cdx*|all*] (default: tv) |
| ‑s, ‑‑scope | string | No | Product or Project token to generate the report(s) for. When specifying a Product token, one report will be generated for each project under that product. If not specified, one report will be generated for each project in your organization. |
| ‑o, ‑‑out | string | No | Output directory (default: $PWD) |
| ‑on, ‑‑outfile | string | No* | Output file name* (default: Mend {PROJECT_NAME} SBOM report-{FORMAT}) |
| ‑lt, ‑‑licensetext | bool | No | Include full license text for all libraries* (default: False) |
| ‑th, ‑‑threads | int | No | Number of threads to run in parallel for report generation (default: 10) |
| ‑e, ‑‑extra | string | No* | Path to a json file containing the creation info to be included in the report (default: $PWD/resources/sbom_extra.json |
Notes:
* Token type (--tokenType product) is required in case the specifieduserKeyis associated with a group with Product Administrators permissions.
* Report type (--type)cdxwill generate a JSON file in CycloneDX v1.4 format.
* Report type (--type)allwill generate one file in each format for each specified project.
* Output file name (--outfile) is only supported for a single project scope.
* Full license texts will be taken by default from the SPDX License List. If a given license does not exist there, the tool will attempt to take it from Mend's database.
* By default, the tool will use the placeholders in the resource/sbom_extra.json file.
Execution Examples
Generating tv formatted SBOM report for a specific project
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --scope $WS_PROJECTTOKEN --out $HOME/reports --extra sbom_extra.jsonGenerating tv formatted SBOM report for all projects of a specified product
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --scope $WS_PRODUCTTOKEN --out $HOME/reports --extra sbom_extra.jsonGenerating json formatted SBOM report for all projects in the organization
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --type json --out $HOME/reportsGenerating json formatted SBOM report for all projects in the organization, including full license text
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --type json --out $HOME/reports --licensetext TrueGenerating xml formatted SBOM report for a single project (executed by a product administrator)
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_PRODUCTTOKEN --tokenType product --scope $WS_PROJECTTOKEN --type xml --out $HOME/reports --extra sbom_extra.jsonGenerating json formatted SBOM report for a single project, specifying file name
ws_sbom_generator --wsUrl $WS_WSS_URL --userKey $WS_USERKEY --token $WS_APIKEY --scope $WS_PROJECTTOKEN --type json --out $HOME/reports --extra sbom_extra.json --outfile my-project-sbom.jsonSBOM Generator Docker Container
Supported Operating Systems
- Linux: CentOS, Debian, Ubuntu, RedHat
- Windows: 10, 2012, 2016
Prerequisites
- Docker version 20 or later
- Mend user with admin permissions
Note:
The specified user (-u, --userKey) must be associated with a group assigned as either Organization Administrators (for generating report for all projects in the organization) or Product Administrators. For the latter,--tokenTypemust be specified (see Command-Line Arguments).
Installation
docker pull whitesourcetools/ws-sbom-generator:latest Usage
docker run --name ws-sbom-generator \
-v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom-generator/resources \
-v $HOME/reports:/opt/ws-sbom-generator/sbom-generator/output \
-e WS_URL=$WS_WSS_URL \
-e WS_USER_KEY=$WS_USERKEY \
-e WS_TOKEN=$WS_APIKEY \
-e WS_REPORT_TYPE=<REPORT_TYPE> \
whitesourcetools/ws-sbom-generator Execution Examples
Running as organization administrator, generating json formatted SBOM reports for all projects, default extra args
docker run --name ws-sbom-generator \
-v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom_generator/resources \
-v $HOME/reports:/opt/ws-sbom-generator/sbom_generator/output \
-e WS_URL=$WS_WSS_URL \
-e WS_USER_KEY=$WS_USERKEY \
-e WS_TOKEN=$WS_APIKEY \
-e WS_REPORT_TYPE=json
whitesourcetools/ws-sbom-generatorRunning as organization administrator, generating tv formatted SBOM report for a single project, default extra args
docker run --name ws-sbom-generator \
-v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom_generator/resources \
-v $HOME/reports:/opt/ws-sbom-generator/sbom_generator/output \
-e WS_URL=$WS_WSS_URL \
-e WS_USER_KEY=$WS_USERKEY \
-e WS_TOKEN=$WS_APIKEY \
-e WS_SCOPE_TOKEN=<WS_PROJECT_TOKEN> \
whitesourcetools/ws-sbom-generatorRunning as a product administrator, generating rdf formatted SBOM report for a single project, default extra args
docker run --name ws-sbom-generator \
-v $HOME/ws-sbom-generator/resources:/opt/ws-sbom-generator/sbom_generator/resources \
-v $HOME/reports:/opt/ws-sbom-generator/sbom_generator/output \
-e WS_URL=$WS_WSS_URL \
-e WS_USER_KEY=$WS_USERKEY \
-e WS_TOKEN=$WS_PRODUCTTOKEN \
-e WS_TOKEN_TYPE=product
-e WS_SCOPE_TOKEN=$WS_PROJECTTOKEN \
whitesourcetools/ws-sbom-generator