sbomgr
is a grep like command line utility to help search the SBOM repository based on criteria like the name, checksum, CPE, and PURL.
go install github.com/interlynk-io/sbomgr@latest
other installations options
Search for packages with exact name matching "abbrev".
sbomgr packages -N 'abbrev' <sbom file or dir>
Search for packages with regexp name matching "log4"
sbomgr packages -EN 'log4' <sbom file or dir>
Search for packages in air gapped environment for name matching "log4"
export INTERLYNK_DISABLE_VERSION_CHECK=true sbomgr packages -EN 'log4' <sbom file or dir>
- SBOM format agnostic and currently supports searching through SPDX and CycloneDX.
- Blazing Fast 🚀
- Output search results as jsonl.
- Supports RE2 regular expressions
sbomgr
can answer some of the most common SBOM use cases by searching an SBOM file or SBOM repository.
➜ sbomgr packages -c ~/data/sbom-repo/docker-images
sbom_files_matched: 86
packages_matched: 33556
➜ sbomgr packages -cEN 'zlib' ~/data/sbom-repo/docker-images
sbom_files_matched: 71
packages_matched: 145
➜ sbomgr packages -c -H '5c260231de4f62ee26888776190b4c3fda6cbe14' ~/data/sbom-repo/docker-images
sbom_files_matched: 2
packages_matched: 2
➜ sbomgr packages -jrE -N '\.zip$' ~/data/ | jq .
{
"path": "/home/riteshno/data/spdx-trivy-circleci_clojure-sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76.json",
"format": "json",
"spec": "spdx",
"product_name": "circleci/clojure@sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76",
"packages": [
{
"name": "org.clojure:data.zip",
"version": "0.1.3",
"purl": "pkg:maven/org.clojure/data.zip@0.1.3"
}
],
"matched": true
}
➜ sbomgr packages -jl ~/data/some-sboms/julia.spdx | jq .
{
"path": "/home/riteshno/data/some-sboms/julia.spdx",
"format": "tag-value",
"spec": "spdx",
"product_name": "julia-spdx",
"packages": [
{
"name": "Julia",
"version": "1.8.0-DEV",
"license": [
{
"name": "MIT License",
"short": "MIT"
}
]
},
➜ sbomgr packages -qN 'abbrev' ~/tmp/app.spdx.json
➜ echo $?
0
➜ sbomgr packages -qN 'abbrev-random' ~/tmp/app.spdx.json
➜ echo $?
1
sbomgr packages -O 'toolv,tooln,pkgn,pkgv' ~/tmp/app.spdx.json
2.0.88 Microsoft.SBOMTool Coordinated Packages 229170
2.0.88 Microsoft.SBOMTool chalk 2.4.2
2.0.88 Microsoft.SBOMTool async-settle 1.0.0
$docker run [volume-maps] ghcr.io/interlynk-io/sbomgr [command] [options]
Example
$docker run -v ~/interlynk/sbomlc/:/app/sbomlc ghcr.io/interlynk-io/sbomgr packages -c /app/sbomlc
Unable to find image 'ghcr.io/interlynk-io/sbomgr:latest' locally
latest: Pulling from interlynk-io/sbomgr
479c7812d0ff: Already exists
5b3064dc8fe2: Already exists
Digest: sha256:d359b7e6e2b870542500dc00967ca2c5a4e78c8f1658b5c6dbdc8330effe38f8
Status: Downloaded newer image for ghcr.io/interlynk-io/sbomgr:latest
A new version of sbomgr is available v0.0.6.
Matching file count: 3153
Matching package count: 716953
This section explains the flags relevant to the packages search feature. The packages search takes only a single argument, either a file or a directory. There are man flags which can be specified to control its behaviour.
-N
or--name
used for package/component name search.-C
or--cpe
used for package/component cpe search.-P
or--purl
used for pacakge/component purl search.-H
or--checksum
used for package/component checksum value search.
all of these match criteria are exclusive to each other.
-E
or--extended-regexp
flag can be used to indicate if the match criteria is a regular expression. Syntax supported is https://github.com/google/re2/wiki/Syntax.
-i
or--ignore-case
case insensitive matching.
-l
or--license
this includes the license of the package/component in the output.-q
or--quiet
this suppresses all output of the tool, the return value of the tool is 0 indicating success, if it finds the search criteria.--no-filename
removes the filename from the output.-j
or--jsonl
outputs the search results in jsonl.-p
or--print-errors
includes errors encoundered during searching. Default is to ignore them.-O
or--output-format
user-defined output format. Options are listed belowfilen
- filepathtooln
- tool with which sbom was generated, only prints the first onetoolv
- tool versiondocn
- sbom document namedocv
- sbom document versioncpe
- package cpe, only prints the first one, indicates how many cpe's exists.purl
- package purlpkgn
- package namepkgv
- package versionpkgl
- package licensesspecn
- spec of the sbom document, spdx or cdx.chkn
- checksum namechkv
- checksum valuerepo
- repository urldirect
- package is a direct dependency
-c
or--count
suppresses the normal output and print matching counts of sbom filenames and packages.
-r
or--recurse
when set, recursively scans all sub directories.
--spdx
searches only files which are SPDX.--cdx
searches only files which are CycloneDX.
- Search using files.
- Search using tool metadata.
- Search using CVE-ID.
- Search only direct dependencies.
- Search until a specified depth.
- Provide a list of malicious packages
- A sample set of SBOM is present in the samples directory above.
- SBOM Benchmark is a repository of SBOM and quality score for most popular containers and repositories
- SBOM Explorer is a command line utility to search and pull SBOMs
https://github.com/interlynk-io/sbomgr/releases
brew tap interlynk-io/interlynk
brew install sbomgr
go install github.com/interlynk-io/sbomgr@latest
This approach involves cloning the repo and building it.
- Clone the repo
git clone git@github.com:interlynk-io/sbomgr.git
cd
intosbomgr
folder- make build
- To test if the build was successful run the following command
./build/sbomgr version
We look forward to your contributions, below are a few guidelines on how to submit them
- Fork the repo
- Create your feature/bug branch (
git checkout -b feature/new-feature
) - Commit your changes (
git commit -am "awesome new feature"
) - Push your changes (
git push origin feature/new-feature
) - Create a new pull-request
- SBOM Assembler - A tool to compose a single SBOM by combining other (part) SBOMs
- SBOM Quality Score - A tool for evaluating the quality and completeness of SBOMs
- SBOM Search Tool - A tool to grep style semantic search in SBOMs
- SBOM Explorer - A tool for discovering and downloading SBOM from a public repository
We appreciate all feedback. The best ways to get in touch with us:
If you like this project, please support us by starring it.