Welcome to apt2sbom
This package contains a library and a CLI tool to convert a Ubuntu software package inventory to a software bill of materials. You are in the wrong place if you are not running Ubuntu.
The package is under active development. Don't be surprised if something doesn't work quite right. please see CONTRIBUTING.md for details.
Building
Building is easy:
- Bop the version on setup.cfg
- python3 -m build -w
- cd dist
- pip3 install that file
Do this, of course, on a Ubuntu system.
Usage
To use the CLI tool:
% apt2sbom (--json|--yaml|--cyclonedx [--pip])
Will produce either JSON or YAML forms of an SPDX file, or the JSON form of a CycloneDX file . There is no default. Pick one.
To include python packages, add --pip.
There is also a werkzeug interface so that an SBOM file can be delivered via HTTP. To use, create a simple wsgi file as follows:
from apt2sbom.wsbom import app as application
application = create_app(\_name\_)
and call that file from your httpd. An apache example follows:
WSGIScriptAlias /.well-known/sbom /usr/lib/cgi-bin/sbom.wsgi
WSGIPassAuthorization On
When this is done, a very simple password file is expected in /etc/sbom.users:
{
"user" : "password",
"otheruser" : "otherpassword",
...
}
The passwords aren't hashed. This is clearly something that has to be addressed in the future.
The type of SBOM returned depends on the Accepts: header sent.