Metadata-Version: 2.4
Name: sbomac
Version: 0.1.0
Summary: Simple SBOM generator
Home-page: https://github.com/anthonyharrison/sbomac
Author: Anthony Harrison
Author-email: anthony.p.harrison@gmail.com
Maintainer: Anthony Harrison
Maintainer-email: anthony.p.harrison@gmail.com
License: Apache-2.0
Keywords: security,tools,SBOM,DevSecOps,SPDX,CycloneDX
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: lib4sbom>=0.9.3
Dynamic: author
Dynamic: author-email
Dynamic: classifier
Dynamic: description
Dynamic: description-content-type
Dynamic: home-page
Dynamic: keywords
Dynamic: license
Dynamic: license-file
Dynamic: maintainer
Dynamic: maintainer-email
Dynamic: requires-dist
Dynamic: requires-python
Dynamic: summary

# SBOMac
The SBOMac is a free, open source tool to generate a
SBOM (Software Bill of Materials) from a simple YAML in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).

The YAML can specify hardware, software applications and service elements. The dependencies between the elements is indicated
by the structure of the YAML file.

## Installation

To install use the following command:

`pip install sbomac`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.9+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

## Usage

```bash
usage: sbomac [-h] [-i INPUT_FILE] [--name NAME] [-d] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [--type {design,source,build}] [-o OUTPUT_FILE] [-V]

SBOMac generates a Software Bill of Materials for the items specified in a simple YAML file. Different types of SBOMs can be generated based on the content.

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -i INPUT_FILE, --input-file INPUT_FILE
                        identity of sbom definition file
  --name NAME           specify name of system

Output:
  -d, --debug           add debug information
  --sbom {spdx,cyclonedx}
                        specify type of sbom to generate (default: spdx)
  --format {tag,json,yaml}
                        specify format of software bill of materials (sbom) (default: tag)
  --type {design,source}
                        specify type of software bill of materials (sbom) to create (default: design)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)
```

## Operation

The `--name` option is used to identify the name of the system or application which the SBOM represents. This parameter is mandatory.

The `--input-file` option is used to specify the name of the YAML file containing the definition of the system or application. This parameter is mandatory.

The `--type` option is used to specify the type of of the generated SBOM (the default is 'Design'). This option is used to specify the lifecycle which the YAML file represents.

The `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option
can be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both SPDX and CycloneDX SBOMs).

The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).

## YAML file format

The format of the YAML file is as follows:

```yaml
# Example yaml file
name: Design SBOM
version: 1.0
summary: This is an example for creating a design SBOM
author: APH
email: aph@aph10.com
supplier: ACME Inc
element:
- name: Payment System
  type: system
  element:
    - name: Platform
      type: hardware
      element:
      - name: Network
        type: hardware
        description: 10GB
      - name: Storage
        type: hardware
        description: At least 500GB
      - name: Memory
        type: hardware
        description: At least 64GB
    - name: OS
      type: operating_system
      description: An embedded OS
      element:
      - name: Database
        type: application
        description: A SQL database
        product: SQLlite
        comment: Version should be at least 3.0
      - name: Awesome Application
        type: software
        description: A payment processor
        element:
        - name: Payment Service
          type: service
          vendor: Stripe
          description: An external service provider
```

The file consists of some file metadata (name, version, summary) together with deatils of the author, email address and the supplier.

Elements are indicated by the element item. An element can have the following attributes

- name. This is the name of the element. This is mandatory.
- type. This is the type of element. This is mandatory. Valid types are 'system', 'hardware', 'software', 'application', 'operating-system', 'service', 'file'.
- description. This is a brief description of the element being defined.
- version. This is used where a specific version of the element can be identified.
- vendor. This is the provider of the element.
- comment. This is used to provide any other supporting information to be included in the generated SBOM.

The hieracrchy of depedencies is indicated by approaiate indentation of the elements within the YAML file.

## Licence

Licenced under the Apache 2.0 Licence.

The tool uses a local copy of the [SPDX Licenses List](https://github.com/spdx/license-list-data) which is released under
[Creative Commons Attribution 3.0 (CC-BY-3.0)](http://creativecommons.org/licenses/by/3.0/).

## Limitations

This tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the data
which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool
are therefore reminded that they should assert the quality of any data which is provided to the tool.

When processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct [SPDX License Identifiers](https://spdx.org/licenses/). However, the
user of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

