sbomgr
is a grep like command line utility to help search the SBOM repository based on criteria like the name, checksum, CPE, and PURL.
go install github.com/interlynk-io/sbomgr@latest
other installations options
Search for packages with exact name matching "abbrev".
sbomgr packages -N 'abbrev' <sbom file or dir>
Search for packages with regexp name matching "log4"
sbomgr packages -EN 'log4' <sbom file or dir>
Search for packages in air gapped environment for name matching "log4"
export INTERLYNK_DISABLE_VERSION_CHECK=true sbomgr packages -EN 'log4' <sbom file or dir>
- SBOM format agnostic and currently supports searching through SPDX and CycloneDX.
- Blazing Fast ๐
- Output search results as jsonl.
- Supports RE2 regular expressions
sbomgr
can answer some of the most common SBOM use cases by searching an SBOM file or SBOM repository.
โ sbomgr packages -c ~/data/sbom-repo/docker-images
sbom_files_matched: 86
packages_matched: 33556
โ sbomgr packages -cEN 'zlib' ~/data/sbom-repo/docker-images
sbom_files_matched: 71
packages_matched: 145
โ sbomgr packages -c -H '5c260231de4f62ee26888776190b4c3fda6cbe14' ~/data/sbom-repo/docker-images
sbom_files_matched: 2
packages_matched: 2
โ sbomgr packages -jrE -N '\.zip$' ~/data/ | jq .
{
"path": "/home/riteshno/data/spdx-trivy-circleci_clojure-sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76.json",
"format": "json",
"spec": "spdx",
"product_name": "circleci/clojure@sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76",
"packages": [
{
"name": "org.clojure:data.zip",
"version": "0.1.3",
"purl": "pkg:maven/org.clojure/[email protected]"
}
],
"matched": true
}
โ sbomgr packages -jl ~/data/some-sboms/julia.spdx | jq .
{
"path": "/home/riteshno/data/some-sboms/julia.spdx",
"format": "tag-value",
"spec": "spdx",
"product_name": "julia-spdx",
"packages": [
{
"name": "Julia",
"version": "1.8.0-DEV",
"license": [
{
"name": "MIT License",
"short": "MIT"
}
]
},
โ sbomgr packages -qN 'abbrev' ~/tmp/app.spdx.json
โ echo $?
0
โ sbomgr packages -qN 'abbrev-random' ~/tmp/app.spdx.json
โ echo $?
1
sbomgr packages -O 'toolv,tooln,pkgn,pkgv' ~/tmp/app.spdx.json
2.0.88 Microsoft.SBOMTool Coordinated Packages 229170
2.0.88 Microsoft.SBOMTool chalk 2.4.2
2.0.88 Microsoft.SBOMTool async-settle 1.0.0
This section explains the flags relevant to the packages search feature. The packages search takes only a single argument, either a file or a directory. There are man flags which can be specified to control its behaviour.
-N
or--name
used for package/component name search.-C
or--cpe
used for package/component cpe search.-P
or--purl
used for pacakge/component purl search.-H
or--checksum
used for package/component checksum value search.
all of these match criteria are exclusive to each other.
-E
or--extended-regexp
flag can be used to indicate if the match criteria is a regular expression. Syntax supported is https://github.com/google/re2/wiki/Syntax.
-i
or--ignore-case
case insensitive matching.
-l
or--license
this includes the license of the package/component in the output.-q
or--quiet
this suppresses all output of the tool, the return value of the tool is 0 indicating success, if it finds the search criteria.--no-filename
removes the filename from the output.-j
or--jsonl
outputs the search results in jsonl.-p
or--print-errors
includes errors encoundered during searching. Default is to ignore them.-O
or--output-format
user-defined output format. Options are listed belowfilen
- filepathtooln
- tool with which sbom was generated, only prints the first onetoolv
- tool versiondocn
- sbom document namedocv
- sbom document versioncpe
- package cpe, only prints the first one, indicates how many cpe's exists.purl
- package purlpkgn
- package namepkgv
- package versionpkgl
- package licensesspecn
- spec of the sbom document, spdx or cdx.chkn
- checksum namechkv
- checksum value
-c
or--count
suppresses the normal output and print matching counts of sbom filenames and packages.
-r
or--recurse
when set, recursively scans all sub directories.
--spdx
searches only files which are SPDX.--cdx
searches only files which are CycloneDX.
- Search using files.
- Search using tool metadata.
- Search using CVE-ID.
- Search only direct dependencies.
- Search until a specified depth.
- Provide a list of malicious packages
- A sample set of SBOM is present in the samples directory above.
- SBOM Benchmark is a repository of SBOM and quality score for most popular containers and repositories
- SBOM Explorer is a command line utility to search and pull SBOMs
https://github.com/interlynk-io/sbomgr/releases
brew tap interlynk-io/interlynk
brew install sbomgr
go install github.com/interlynk-io/sbomgr@latest
This approach involves cloning the repo and building it.
- Clone the repo
git clone [email protected]:interlynk-io/sbomgr.git
cd
intosbomgr
folder- make build
- To test if the build was successful run the following command
./build/sbomgr version
We look forward to your contributions, below are a few guidelines on how to submit them
- Fork the repo
- Create your feature/bug branch (
git checkout -b feature/new-feature
) - Commit your changes (
git commit -am "awesome new feature"
) - Push your changes (
git push origin feature/new-feature
) - Create a new pull-request
We appreciate all feedback, the best way to get in touch with us