https://github.com/chains-project/sbom-files
Long term storage of software bills of materials (sbom) https://arxiv.org/pdf/2303.11102.pdf
Science Score: 36.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
○CITATION.cff file
-
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
✓Committers with academic emails
1 of 6 committers (16.7%) from academic institutions -
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (12.8%) to scientific vocabulary
Keywords from Contributors
Repository
Long term storage of software bills of materials (sbom) https://arxiv.org/pdf/2303.11102.pdf
Basic Info
Statistics
- Stars: 6
- Watchers: 5
- Forks: 1
- Open Issues: 3
- Releases: 0
Metadata Files
README.md
SBOMs
Long term storage of build provenance files / software bills of material (SBOM)
How are SBOM generated?
SLSA
SLSA is not a tool for generating an SBOM, but rather a set of requirements for the SBOM. Currently, the SBOM is generated by this action, which produces SBOM formatted as an In-toto attestation, which is the currently recommended format for an SBOM by SLSA.
There is a workflow called sbom.yml in Spoon that automatically
generates the provenance files for Spoon project for every commit to INRIA/spoon:master.
Sonatype-Lift
- Go to sonatype lift console and click the "dependenices" tab.
- Click "Export CycloneDX" button to export the SBOM in JSON format.
Renovate
- Inspired from Renovate's "Detected dependecies".
- Run the following command and you will get the list of
"Detected dependencies" in STDOUT and the log file.
bash renovate --token [REDACTED] --dry-run="extract" --autodiscover --autodiscover-filter "<org_name>/<repo_name>" --log-file="renovate.log"One may use Renovate's npm package or docker image to the run the above command. - See https://github.com/renovatebot/renovate/discussions/18258#discussion-4463299 for more information.
cdxgen
- Install cdxgen npm package.
sudo npm install -g @appthreat/cdxgen - Run.
cdxgen -t java -o bom.cdxgen.json
It seems that is uses CycloneDX maven plugin under the hood.
Link to GitHub repository: https://github.com/AppThreat/cdxgen
CycloneDX maven plugin
- Execute the maven-plugin at the root of the maven project.
sh $ mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.3:makeAggregateBom - The SBOM (
bom.jsonandbom.xml) is written inside the target folder.
Link to GitHub repository: https://github.com/CycloneDX/cyclonedx-maven-plugin
jbom
- Ran Spoon as CLI command and ensured that it would take long to end.
- Quickly ran jbom on another terminal lise so:
sh $ java -jar jbom-1.2.jar -p <process id>
Link to GitHub repository: https://github.com/eclipse/jbom/
Highlight Automated Code Scan
- Download the tar ball from the link below.
- Run the following command from the HLCS directory.
sh java -jar HighlightAutomation.jar --workingDir ~/chains/sbom-files/sorald/ --sourceDir ~/spoonlabs/sorald --skipUpload --technologies "Java"
Link to tool: https://doc.casthighlight.com/product-tutorials-third-party-tools/automated-code-scan-command-line/
The tools generates a lot of CSV files that can be uploaded to Highlight Platform (proprietary) to view the results.
FOSSA
- Click 'Start for Free' and then follow the steps.
- The report can be exported in SPDX format. However, only direct dependecies are included in the report in the free version.

Link to tool: https://fossa.com/
Meterian
- Download the jar from the link in this page - https://www.meterian.com/downloads/meterian-cli.jar.
- Run the following command in the root of your project.
sh $ java -jar /tmp/meterian-cli.jar - It will ask one to authenticate because the final report it generated has limited access.
Link to tool: https://meterian.io/product/open-source-licence-compliance/
SCANOSS
- Install the tool.
sh $ pip3 install scanoss - Run the tool.
sh $ scanoss-py scan <path-to-project-dir>
Link to tool: https://github.com/scanoss/scanoss.py
JFrog/build-info-go
- Download the executable from the GitHub page.
- Go to the root of the project and run:
sh $ bi mvn
Link to tool: https://github.com/jfrog/build-info-go
spdx-maven-plugin
- Run the following at the root of the maven project.
sh $ mvn org.spdx:spdx-maven-plugin:createSPDX
This plugin runs the tests of the maven project
Link to tool: https://github.com/spdx/spdx-maven-plugin
spdx-tools-java
- Download tool from the release page. > Used version 1.1.3 for the report generation.
- Run the following command (listed in Generators):
sh $ java -jar tools-java-1.1.0-jar-with-dependencies.jar GenerateVerificationCode <project-dir>
Link to the tool: https://github.com/spdx/tools-java
microsoft-sbom-tool
- Download tool.
sh $ curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 $ chmod +x sbom-tool>0.3.1was used to generate report. - Run the following command.
sh $ sbom-tool generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -ps <package supplier> -nsb <namespace uri base>@algomaster99 ran:tools/microsoft-sbom-tool/sbom-tool generate -b /home/aman/chains/sbom-files/mybatis-3/microsoft-sbom-tool -bc . -pn mybatis -pv 3.5.11 -ps org.mybatis -nsb https://mybatis.org/mybatis-3/
spdx-sbom-generator
- Download tool from README. > URL: https://github.com/spdx/spdx-sbom-generator/releases/download/v0.0.10/spdx-sbom-generator-v0.0.10-linux-amd64.tar.gz
- Go to project directory and run.
$ ./spdx-sbom-generator
Link to tool: https://github.com/opensbom-generator/spdx-sbom-generator
swid-tools
- Clone project.
sh $ git clone git@github.com:usnistgov/swid-tools.git - Install project locally. Run the following at the root of the cloned project.
sh $ mvn clean install - Create
assembly.xmland modifypom.xmlas documented here. > maven plugin version:0.6.1 - Run
mvn package. - The plugin creates SWID tags and modified jar file in the target directory.
Link to tool: https://github.com/usnistgov/swid-tools
ort
- Clone project and build.
sh $ git clone --recurse-submodules https://github.com/oss-review-toolkit/ort.git $ cd ort $./gradlew installDist - Run analyzer
sh $ ../../tools/ort/cli/build/install/ort/bin/ort analyze -i . -o /home/aman/chains/sbom-files/mybatis-3/ort -f JSON - Run scanner
sh $ ../../tools/ort/cli/build/install/ort/bin/ort scan -i /home/aman/chains/sbom-files/mybatis-3/ort/analyze/analyzer-result.json -o /home/aman/chains/sbom-files/mybatis-3/ort/scan/ --skip-excluded> It uses scancode-toolkit to be installed first. > Was not working formybatisso I have not pushed the file to repo.
Link to tool: https://github.com/oss-review-toolkit/ort
scancode-toolkit
- Clone project and follow instructions here
to install the tool.
sh $ git clone git@github.com:nexB/scancode-toolkit.git - Activate the virtual environment where scancode is install after running
./scancode --help:sh $ source venv/bin/activate - Go to project directory.
sh $ scancode -clpeui -n 2 --json-pp /home/aman/chains/sbom-files/mybatis-3/scancode/scancode.json .
openrewrite
- Run maven plugin in the project.
sh $ mvn org.openrewrite.maven:rewrite-maven-plugin:4.39.0:cyclonedx
Link to tool: https://github.com/openrewrite/rewrite-maven-plugin
dep-scan
- Download tool.
sh curl -LO https://github.com/AppThreat/depscan-bin/releases/download/v3.5.3/depscan-linux-amd64 chmod +x depscan-linux-amd64 - Go to root of the project and run the executable.
sh ./depscan-linux-amd64 - The results are output to
<project-dir>/reports. We only requiresbom-java.jsonout of them.
Link to tool: https://github.com/AppThreat/dep-scan
bom
- Download tool from release page.
>
0.4.1 - Run at root directory.
sh $ bom generate -n http://example.com/ . -o sbom.spdx> Not sure what this-nis. - The above commands output a text file so we convert it into JSON.
- We use this package - https://pypi.org/project/spdx-tools/.
sh $ pyspdxtools_convertor -i sbom.spdx -o sbom.spdx.json -t json sbom.spdx.jsonis the output we need.
Link to tool: https://github.com/kubernetes-sigs/bom
Owner
- Name: CHAINS research project at KTH Royal Institute of Technology
- Login: chains-project
- Kind: organization
- Website: https://chains.proj.kth.se
- Repositories: 9
- Profile: https://github.com/chains-project
"Consistent Hardening and Analysis of Software Supply Chains" at KTH, funded by SSF
GitHub Events
Total
- Push event: 327
Last Year
- Push event: 327
Committers
Last synced: over 1 year ago
Top Committers
| Name | Commits | |
|---|---|---|
| provenance-bot | s****m@k****e | 1,030 |
| github-actions[bot]@users.noreply.github.com | g****] | 377 |
| Aman Sharma | m****0@g****m | 109 |
| Arvid Siberov | a****d@s****e | 7 |
| Martin Monperrus | m****s@g****g | 3 |
| MartinWitt | w****n@g****m | 2 |
Committer Domains (Top 20 + Academic)
Issues and Pull Requests
Last synced: over 1 year ago
All Time
- Total issues: 4
- Total pull requests: 6
- Average time to close issues: 3 months
- Average time to close pull requests: 3 days
- Total issue authors: 2
- Total pull request authors: 3
- Average comments per issue: 4.0
- Average comments per pull request: 1.17
- Merged pull requests: 4
- Bot issues: 0
- Bot pull requests: 1
Past Year
- Issues: 0
- Pull requests: 0
- Average time to close issues: N/A
- Average time to close pull requests: N/A
- Issue authors: 0
- Pull request authors: 0
- Average comments per issue: 0
- Average comments per pull request: 0
- Merged pull requests: 0
- Bot issues: 0
- Bot pull requests: 0
Top Authors
Issue Authors
- algomaster99 (3)
- javierron (1)
Pull Request Authors
- algomaster99 (4)
- MartinWitt (1)
- renovate[bot] (1)