Long term storage of build provenance files / software bills of material (SBOM)
SLSA is not a tool for generating an SBOM, but rather a set of requirements for the SBOM. Currently, the SBOM is generated by this action, which produces SBOM formatted as an In-toto attestation, which is the currently recommended format for an SBOM by SLSA.
There is a workflow called sbom.yml in Spoon that automatically
generates the provenance files for Spoon project for every commit to INRIA/spoon:master
.
- Go to sonatype lift console and click the "dependenices" tab.
- Click "Export CycloneDX" button to export the SBOM in JSON format.
- Inspired from Renovate's "Detected dependecies".
- Run the following command and you will get the list of
"Detected dependencies" in STDOUT and the log file.
One may use Renovate's npm package or docker image to the run the above command.
renovate --token [REDACTED] --dry-run="extract" --autodiscover --autodiscover-filter "<org_name>/<repo_name>" --log-file="renovate.log"
- See renovatebot/renovate#18258 (comment) for more information.
- Install cdxgen npm package.
sudo npm install -g @appthreat/cdxgen
- Run.
cdxgen -t java -o bom.cdxgen.json
It seems that is uses CycloneDX maven plugin under the hood.
Link to GitHub repository: https://github.com/AppThreat/cdxgen
- Execute the maven-plugin at the root of the maven project.
$ mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.3:makeAggregateBom
- The SBOM (
bom.json
andbom.xml
) is written inside the target folder.
Link to GitHub repository: https://github.com/CycloneDX/cyclonedx-maven-plugin
- Ran Spoon as CLI command and ensured that it would take long to end.
- Quickly ran jbom on another terminal lise so:
$ java -jar jbom-1.2.jar -p <process id>
Link to GitHub repository: https://github.com/eclipse/jbom/
- Download the tar ball from the link below.
- Run the following command from the HLCS directory.
java -jar HighlightAutomation.jar --workingDir ~/chains/sbom-files/sorald/ --sourceDir ~/spoonlabs/sorald --skipUpload --technologies "Java"
Link to tool: https://doc.casthighlight.com/product-tutorials-third-party-tools/automated-code-scan-command-line/
The tools generates a lot of CSV files that can be uploaded to Highlight Platform (proprietary) to view the results.
- Click 'Start for Free' and then follow the steps.
- The report can be exported in SPDX format. However, only direct dependecies are included in the report in the free version.
Link to tool: https://fossa.com/
- Download the jar from the link in this page - https://www.meterian.com/downloads/meterian-cli.jar.
- Run the following command in the root of your project.
$ java -jar /tmp/meterian-cli.jar
- It will ask one to authenticate because the final report it generated has limited access.
Link to tool: https://meterian.io/product/open-source-licence-compliance/
- Install the tool.
$ pip3 install scanoss
- Run the tool.
$ scanoss-py scan <path-to-project-dir>
Link to tool: https://github.com/scanoss/scanoss.py
- Download the executable from the GitHub page.
- Go to the root of the project and run:
$ bi mvn
Link to tool: https://github.com/jfrog/build-info-go
- Run the following at the root of the maven project.
$ mvn org.spdx:spdx-maven-plugin:createSPDX
This plugin runs the tests of the maven project
Link to tool: https://github.com/spdx/spdx-maven-plugin
- Download tool from the release page.
Used version 1.1.3 for the report generation.
- Run the following command (listed in Generators):
$ java -jar tools-java-1.1.0-jar-with-dependencies.jar GenerateVerificationCode <project-dir>
Link to the tool: https://github.com/spdx/tools-java
- Download tool.
$ curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 $ chmod +x sbom-tool
0.3.1
was used to generate report. - Run the following command.
@algomaster99 ran:
$ sbom-tool generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -ps <package supplier> -nsb <namespace uri base>
tools/microsoft-sbom-tool/sbom-tool generate -b /home/aman/chains/sbom-files/mybatis-3/microsoft-sbom-tool -bc . -pn mybatis -pv 3.5.11 -ps org.mybatis -nsb https://mybatis.org/mybatis-3/
- Download tool from README.
- Go to project directory and run.
$ ./spdx-sbom-generator
Link to tool: https://github.com/opensbom-generator/spdx-sbom-generator
- Clone project.
$ git clone [email protected]:usnistgov/swid-tools.git
- Install project locally. Run the following at the root of the cloned project.
$ mvn clean install
- Create
assembly.xml
and modifypom.xml
as documented here.maven plugin version:
0.6.1
- Run
mvn package
. - The plugin creates SWID tags and modified jar file in the target directory.
Link to tool: https://github.com/usnistgov/swid-tools
- Clone project and build.
$ git clone --recurse-submodules https://github.com/oss-review-toolkit/ort.git $ cd ort $./gradlew installDist
- Run analyzer
$ ../../tools/ort/cli/build/install/ort/bin/ort analyze -i . -o /home/aman/chains/sbom-files/mybatis-3/ort -f JSON
- Run scanner
$ ../../tools/ort/cli/build/install/ort/bin/ort scan -i /home/aman/chains/sbom-files/mybatis-3/ort/analyze/analyzer-result.json -o /home/aman/chains/sbom-files/mybatis-3/ort/scan/ --skip-excluded
It uses scancode-toolkit to be installed first. Was not working for
mybatis
so I have not pushed the file to repo.
Link to tool: https://github.com/oss-review-toolkit/ort
- Clone project and follow instructions here
to install the tool.
$ git clone [email protected]:nexB/scancode-toolkit.git
- Activate the virtual environment where scancode is install after running
./scancode --help
:$ source venv/bin/activate
- Go to project directory.
$ scancode -clpeui -n 2 --json-pp /home/aman/chains/sbom-files/mybatis-3/scancode/scancode.json .
- Run maven plugin in the project.
$ mvn org.openrewrite.maven:rewrite-maven-plugin:4.39.0:cyclonedx
Link to tool: https://github.com/openrewrite/rewrite-maven-plugin
- Download tool.
curl -LO https://github.com/AppThreat/depscan-bin/releases/download/v3.5.3/depscan-linux-amd64 chmod +x depscan-linux-amd64
- Go to root of the project and run the executable.
./depscan-linux-amd64
- The results are output to
<project-dir>/reports
. We only requiresbom-java.json
out of them.
Link to tool: https://github.com/AppThreat/dep-scan
- Download tool from release page.
0.4.1
- Run at root directory.
$ bom generate -n http://example.com/ . -o sbom.spdx
Not sure what this
-n
is. - The above commands output a text file so we convert it into JSON.
- We use this package - https://pypi.org/project/spdx-tools/.
$ pyspdxtools_convertor -i sbom.spdx -o sbom.spdx.json -t json
sbom.spdx.json
is the output we need.
Link to tool: https://github.com/kubernetes-sigs/bom