sbomgr is a grep like command line utility to help search the SBOM repository based on criteria like the name, checksum, CPE, and PURL.

go install github.com/interlynk-io/sbomgr@latest

other installations options

Search for packages with exact name matching "abbrev".

sbomgr packages -N 'abbrev' <sbom file or dir>

Search for packages with regexp name matching "log4"

sbomgr packages -EN 'log4' <sbom file or dir>

Search for packages in air gapped environment for name matching "log4"

export INTERLYNK_DISABLE_VERSION_CHECK=true sbomgr packages -EN 'log4' <sbom file or dir>

• SBOM format agnostic and currently supports searching through SPDX and CycloneDX.
• Blazing Fast 🚀
• Output search results as jsonl.
• Supports RE2 regular expressions

sbomgr can answer some of the most common SBOM use cases by searching an SBOM file or SBOM repository.

➜ sbomgr packages -c ~/data/sbom-repo/docker-images
sbom_files_matched: 86
packages_matched: 33556

➜ sbomgr packages -cEN 'zlib' ~/data/sbom-repo/docker-images
sbom_files_matched: 71
packages_matched: 145

➜ sbomgr packages -c -H '5c260231de4f62ee26888776190b4c3fda6cbe14' ~/data/sbom-repo/docker-images
sbom_files_matched: 2
packages_matched: 2

➜ sbomgr packages -jrE -N '\.zip$' ~/data/ | jq .
{
  "path": "/home/riteshno/data/spdx-trivy-circleci_clojure-sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76.json",
  "format": "json",
  "spec": "spdx",
  "product_name": "circleci/clojure@sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76",
  "packages": [
    {
      "name": "org.clojure:data.zip",
      "version": "0.1.3",
      "purl": "pkg:maven/org.clojure/[email protected]"
    }
  ],
  "matched": true
}

➜ sbomgr packages -jl ~/data/some-sboms/julia.spdx | jq .
{
  "path": "/home/riteshno/data/some-sboms/julia.spdx",
  "format": "tag-value",
  "spec": "spdx",
  "product_name": "julia-spdx",
  "packages": [
    {
      "name": "Julia",
      "version": "1.8.0-DEV",
      "license": [
        {
          "name": "MIT License",
          "short": "MIT"
        }
      ]
    },

➜  sbomgr packages -qN 'abbrev' ~/tmp/app.spdx.json
➜  echo $?
0
➜  sbomgr packages -qN 'abbrev-random' ~/tmp/app.spdx.json
➜  echo $?
1

sbomgr packages -O 'toolv,tooln,pkgn,pkgv' ~/tmp/app.spdx.json 
2.0.88	Microsoft.SBOMTool	Coordinated Packages                 	229170
2.0.88	Microsoft.SBOMTool	chalk                                	2.4.2
2.0.88	Microsoft.SBOMTool	async-settle                         	1.0.0

This section explains the flags relevant to the packages search feature. The packages search takes only a single argument, either a file or a directory. There are man flags which can be specified to control its behaviour.

• -N or --name used for package/component name search.
• -C or --cpe used for package/component cpe search.
• -P or --purl used for pacakge/component purl search.
• -H or --checksum used for package/component checksum value search.

all of these match criteria are exclusive to each other.

• -E or --extended-regexp flag can be used to indicate if the match criteria is a regular expression. Syntax supported is https://github.com/google/re2/wiki/Syntax.

• -i or --ignore-case case insensitive matching.

• -l or --license this includes the license of the package/component in the output.
• -q or --quiet this suppresses all output of the tool, the return value of the tool is 0 indicating success, if it finds the search criteria.
• --no-filename removes the filename from the output.
• -j or --jsonl outputs the search results in jsonl.
• -p or --print-errors includes errors encoundered during searching. Default is to ignore them.
• -O or --output-format user-defined output format. Options are listed below
  • filen - filepath
  • tooln - tool with which sbom was generated, only prints the first one
  • toolv - tool version
  • docn - sbom document name
  • docv - sbom document version
  • cpe - package cpe, only prints the first one, indicates how many cpe's exists.
  • purl - package purl
  • pkgn - package name
  • pkgv - package version
  • pkgl - package licenses
  • specn - spec of the sbom document, spdx or cdx.
  • chkn - checksum name
  • chkv - checksum value

• -c or --count suppresses the normal output and print matching counts of sbom filenames and packages.

• -r or --recurse when set, recursively scans all sub directories.

• --spdx searches only files which are SPDX.
• --cdx searches only files which are CycloneDX.

• Search using files.
• Search using tool metadata.
• Search using CVE-ID.
• Search only direct dependencies.
• Search until a specified depth.
• Provide a list of malicious packages

• A sample set of SBOM is present in the samples directory above.
• SBOM Benchmark is a repository of SBOM and quality score for most popular containers and repositories
• SBOM Explorer is a command line utility to search and pull SBOMs

https://github.com/interlynk-io/sbomgr/releases

brew tap interlynk-io/interlynk
brew install sbomgr

go install github.com/interlynk-io/sbomgr@latest

This approach involves cloning the repo and building it.

1. Clone the repo git clone [email protected]:interlynk-io/sbomgr.git
2. cd into sbomgr folder
3. make build
4. To test if the build was successful run the following command ./build/sbomgr version

We look forward to your contributions, below are a few guidelines on how to submit them

• Fork the repo
• Create your feature/bug branch (git checkout -b feature/new-feature)
• Commit your changes (git commit -am "awesome new feature")
• Push your changes (git push origin feature/new-feature)
• Create a new pull-request

We appreciate all feedback, the best way to get in touch with us

• [email protected]
• https://github.com/interlynk-io/sbomgr/issues
• https://twitter.com/InterlynkIo