https://github.com/chains-project/sbom-files

Long term storage of software bills of materials (sbom) https://arxiv.org/pdf/2303.11102.pdf

https://github.com/chains-project/sbom-files

Science Score: 36.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
    1 of 6 committers (16.7%) from academic institutions
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.8%) to scientific vocabulary

Keywords from Contributors

code-generation transformer
Last synced: 10 months ago · JSON representation

Repository

Long term storage of software bills of materials (sbom) https://arxiv.org/pdf/2303.11102.pdf

Basic Info
  • Host: GitHub
  • Owner: chains-project
  • Language: Python
  • Default Branch: main
  • Homepage:
  • Size: 109 MB
Statistics
  • Stars: 6
  • Watchers: 5
  • Forks: 1
  • Open Issues: 3
  • Releases: 0
Created almost 4 years ago · Last pushed 10 months ago
Metadata Files
Readme

README.md

SBOMs

Long term storage of build provenance files / software bills of material (SBOM)

How are SBOM generated?

SLSA

SLSA is not a tool for generating an SBOM, but rather a set of requirements for the SBOM. Currently, the SBOM is generated by this action, which produces SBOM formatted as an In-toto attestation, which is the currently recommended format for an SBOM by SLSA.

There is a workflow called sbom.yml in Spoon that automatically generates the provenance files for Spoon project for every commit to INRIA/spoon:master.

Sonatype-Lift

  1. Go to sonatype lift console and click the "dependenices" tab.
  2. Click "Export CycloneDX" button to export the SBOM in JSON format.

Renovate

  1. Inspired from Renovate's "Detected dependecies".
  2. Run the following command and you will get the list of "Detected dependencies" in STDOUT and the log file. bash renovate --token [REDACTED] --dry-run="extract" --autodiscover --autodiscover-filter "<org_name>/<repo_name>" --log-file="renovate.log" One may use Renovate's npm package or docker image to the run the above command.
  3. See https://github.com/renovatebot/renovate/discussions/18258#discussion-4463299 for more information.

cdxgen

  1. Install cdxgen npm package. sudo npm install -g @appthreat/cdxgen
  2. Run. cdxgen -t java -o bom.cdxgen.json

It seems that is uses CycloneDX maven plugin under the hood.

Link to GitHub repository: https://github.com/AppThreat/cdxgen

CycloneDX maven plugin

  1. Execute the maven-plugin at the root of the maven project. sh $ mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.3:makeAggregateBom
  2. The SBOM (bom.json and bom.xml) is written inside the target folder.

Link to GitHub repository: https://github.com/CycloneDX/cyclonedx-maven-plugin

jbom

  1. Ran Spoon as CLI command and ensured that it would take long to end.
  2. Quickly ran jbom on another terminal lise so: sh $ java -jar jbom-1.2.jar -p <process id>

Link to GitHub repository: https://github.com/eclipse/jbom/

Highlight Automated Code Scan

  1. Download the tar ball from the link below.
  2. Run the following command from the HLCS directory. sh java -jar HighlightAutomation.jar --workingDir ~/chains/sbom-files/sorald/ --sourceDir ~/spoonlabs/sorald --skipUpload --technologies "Java"

Link to tool: https://doc.casthighlight.com/product-tutorials-third-party-tools/automated-code-scan-command-line/

The tools generates a lot of CSV files that can be uploaded to Highlight Platform (proprietary) to view the results.

FOSSA

  1. Click 'Start for Free' and then follow the steps.
  2. The report can be exported in SPDX format. However, only direct dependecies are included in the report in the free version.

fossa.png

Link to tool: https://fossa.com/

Meterian

  1. Download the jar from the link in this page - https://www.meterian.com/downloads/meterian-cli.jar.
  2. Run the following command in the root of your project. sh $ java -jar /tmp/meterian-cli.jar
  3. It will ask one to authenticate because the final report it generated has limited access.

Link to tool: https://meterian.io/product/open-source-licence-compliance/

SCANOSS

  1. Install the tool. sh $ pip3 install scanoss
  2. Run the tool. sh $ scanoss-py scan <path-to-project-dir>

Link to tool: https://github.com/scanoss/scanoss.py

JFrog/build-info-go

  1. Download the executable from the GitHub page.
  2. Go to the root of the project and run: sh $ bi mvn

Link to tool: https://github.com/jfrog/build-info-go

spdx-maven-plugin

  1. Run the following at the root of the maven project. sh $ mvn org.spdx:spdx-maven-plugin:createSPDX

This plugin runs the tests of the maven project

Link to tool: https://github.com/spdx/spdx-maven-plugin

spdx-tools-java

  1. Download tool from the release page. > Used version 1.1.3 for the report generation.
  2. Run the following command (listed in Generators): sh $ java -jar tools-java-1.1.0-jar-with-dependencies.jar GenerateVerificationCode <project-dir>

Link to the tool: https://github.com/spdx/tools-java

microsoft-sbom-tool

  1. Download tool. sh $ curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 $ chmod +x sbom-tool > 0.3.1 was used to generate report.
  2. Run the following command. sh $ sbom-tool generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -ps <package supplier> -nsb <namespace uri base> @algomaster99 ran: tools/microsoft-sbom-tool/sbom-tool generate -b /home/aman/chains/sbom-files/mybatis-3/microsoft-sbom-tool -bc . -pn mybatis -pv 3.5.11 -ps org.mybatis -nsb https://mybatis.org/mybatis-3/

spdx-sbom-generator

  1. Download tool from README. > URL: https://github.com/spdx/spdx-sbom-generator/releases/download/v0.0.10/spdx-sbom-generator-v0.0.10-linux-amd64.tar.gz
  2. Go to project directory and run. $ ./spdx-sbom-generator

Link to tool: https://github.com/opensbom-generator/spdx-sbom-generator

swid-tools

  1. Clone project. sh $ git clone git@github.com:usnistgov/swid-tools.git
  2. Install project locally. Run the following at the root of the cloned project. sh $ mvn clean install
  3. Create assembly.xml and modify pom.xml as documented here. > maven plugin version: 0.6.1
  4. Run mvn package.
  5. The plugin creates SWID tags and modified jar file in the target directory.

Link to tool: https://github.com/usnistgov/swid-tools

ort

  1. Clone project and build. sh $ git clone --recurse-submodules https://github.com/oss-review-toolkit/ort.git $ cd ort $./gradlew installDist
  2. Run analyzer sh $ ../../tools/ort/cli/build/install/ort/bin/ort analyze -i . -o /home/aman/chains/sbom-files/mybatis-3/ort -f JSON
  3. Run scanner sh $ ../../tools/ort/cli/build/install/ort/bin/ort scan -i /home/aman/chains/sbom-files/mybatis-3/ort/analyze/analyzer-result.json -o /home/aman/chains/sbom-files/mybatis-3/ort/scan/ --skip-excluded > It uses scancode-toolkit to be installed first. > Was not working for mybatis so I have not pushed the file to repo.

Link to tool: https://github.com/oss-review-toolkit/ort

scancode-toolkit

  1. Clone project and follow instructions here to install the tool. sh $ git clone git@github.com:nexB/scancode-toolkit.git
  2. Activate the virtual environment where scancode is install after running ./scancode --help: sh $ source venv/bin/activate
  3. Go to project directory. sh $ scancode -clpeui -n 2 --json-pp /home/aman/chains/sbom-files/mybatis-3/scancode/scancode.json .

openrewrite

  1. Run maven plugin in the project. sh $ mvn org.openrewrite.maven:rewrite-maven-plugin:4.39.0:cyclonedx

Link to tool: https://github.com/openrewrite/rewrite-maven-plugin

dep-scan

  1. Download tool. sh curl -LO https://github.com/AppThreat/depscan-bin/releases/download/v3.5.3/depscan-linux-amd64 chmod +x depscan-linux-amd64
  2. Go to root of the project and run the executable. sh ./depscan-linux-amd64
  3. The results are output to <project-dir>/reports. We only require sbom-java.json out of them.

Link to tool: https://github.com/AppThreat/dep-scan

bom

  1. Download tool from release page. > 0.4.1
  2. Run at root directory. sh $ bom generate -n http://example.com/ . -o sbom.spdx > Not sure what this -n is.
  3. The above commands output a text file so we convert it into JSON.
  4. We use this package - https://pypi.org/project/spdx-tools/. sh $ pyspdxtools_convertor -i sbom.spdx -o sbom.spdx.json -t json
  5. sbom.spdx.json is the output we need.

Link to tool: https://github.com/kubernetes-sigs/bom

Owner

  • Name: CHAINS research project at KTH Royal Institute of Technology
  • Login: chains-project
  • Kind: organization

"Consistent Hardening and Analysis of Software Supply Chains" at KTH, funded by SSF

GitHub Events

Total
  • Push event: 327
Last Year
  • Push event: 327

Committers

Last synced: over 1 year ago

All Time
  • Total Commits: 1,528
  • Total Committers: 6
  • Avg Commits per committer: 254.667
  • Development Distribution Score (DDS): 0.326
Past Year
  • Commits: 498
  • Committers: 1
  • Avg Commits per committer: 498.0
  • Development Distribution Score (DDS): 0.0
Top Committers
Name Email Commits
provenance-bot s****m@k****e 1,030
github-actions[bot]@users.noreply.github.com g****] 377
Aman Sharma m****0@g****m 109
Arvid Siberov a****d@s****e 7
Martin Monperrus m****s@g****g 3
MartinWitt w****n@g****m 2
Committer Domains (Top 20 + Academic)

Issues and Pull Requests

Last synced: over 1 year ago

All Time
  • Total issues: 4
  • Total pull requests: 6
  • Average time to close issues: 3 months
  • Average time to close pull requests: 3 days
  • Total issue authors: 2
  • Total pull request authors: 3
  • Average comments per issue: 4.0
  • Average comments per pull request: 1.17
  • Merged pull requests: 4
  • Bot issues: 0
  • Bot pull requests: 1
Past Year
  • Issues: 0
  • Pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Issue authors: 0
  • Pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Top Authors
Issue Authors
  • algomaster99 (3)
  • javierron (1)
Pull Request Authors
  • algomaster99 (4)
  • MartinWitt (1)
  • renovate[bot] (1)
Top Labels
Issue Labels
Pull Request Labels

Dependencies

mybatis-3/spdx-sbom-generator/bom-Java-Maven.spdx rubygems