sbomgr: SBOM Grep :mag: - Search through SBOMs

sbomgr is a grep like command line utility to help search the SBOM repository based on criteria like the name, checksum, CPE, and PURL.

go install github.com/interlynk-io/sbomgr@latest

other installations options

SBOM Card

Basic usage

Search for packages with exact name matching "abbrev".

sbomgr packages -N 'abbrev' <sbom file or dir>

Search for packages with regexp name matching "log4"

sbomgr packages -EN 'log4' <sbom file or dir>

Search for packages in air gapped environment for name matching "log4"

export INTERLYNK_DISABLE_VERSION_CHECK=true sbomgr packages -EN 'log4' <sbom file or dir>

Features

• SBOM format agnostic and currently supports searching through SPDX and CycloneDX.
• Blazing Fast :rocket:
• Output search results as jsonl.
• Supports RE2 regular expressions

Use cases

sbomgr can answer some of the most common SBOM use cases by searching an SBOM file or SBOM repository.

How many SBOM and packages exist in the repository?

➜ sbomgr packages -c ~/data/sbom-repo/docker-images
sbom_files_matched: 86
packages_matched: 33556

Are there packages with zlib in the name?

➜ sbomgr packages -cEN 'zlib' ~/data/sbom-repo/docker-images
sbom_files_matched: 71
packages_matched: 145

Are there packages with a given checksum?

➜ sbomgr packages -c -H '5c260231de4f62ee26888776190b4c3fda6cbe14' ~/data/sbom-repo/docker-images
sbom_files_matched: 2
packages_matched: 2

Create a json report of packages with .zip files

➜ sbomgr packages -jrE -N '\.zip$' ~/data/ | jq .
{
  "path": "/home/riteshno/data/spdx-trivy-circleci_clojure-sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76.json",
  "format": "json",
  "spec": "spdx",
  "product_name": "circleci/clojure@sha256:d8944a6b1bec524314cf4889c104b302036690070a5353b64bb9d11b330e8c76",
  "packages": [
    {
      "name": "org.clojure:data.zip",
      "version": "0.1.3",
      "purl": "pkg:maven/org.clojure/[email protected]"
    }
  ],
  "matched": true
}

Create a json report of all licenses included in an sbom

➜ sbomgr packages -jl ~/data/some-sboms/julia.spdx | jq .
{
  "path": "/home/riteshno/data/some-sboms/julia.spdx",
  "format": "tag-value",
  "spec": "spdx",
  "product_name": "julia-spdx",
  "packages": [
    {
      "name": "Julia",
      "version": "1.8.0-DEV",
      "license": [
        {
          "name": "MIT License",
          "short": "MIT"
        }
      ]
    },

During CI check if a malicious package is present??

➜  sbomgr packages -qN 'abbrev' ~/tmp/app.spdx.json
➜  echo $?
0
➜  sbomgr packages -qN 'abbrev-random' ~/tmp/app.spdx.json
➜  echo $?
1

extract data using user-defined output

sbomgr packages -O 'toolv,tooln,pkgn,pkgv' ~/tmp/app.spdx.json 
2.0.88	Microsoft.SBOMTool	Coordinated Packages                 	229170
2.0.88	Microsoft.SBOMTool	chalk                                	2.4.2
2.0.88	Microsoft.SBOMTool	async-settle                         	1.0.0

Using containerized sbomgr

$docker run [volume-maps] ghcr.io/interlynk-io/sbomgr [command] [options]

Example

$docker run -v ~/interlynk/sbomlc/:/app/sbomlc ghcr.io/interlynk-io/sbomgr packages -c /app/sbomlc

Unable to find image 'ghcr.io/interlynk-io/sbomgr:latest' locally
latest: Pulling from interlynk-io/sbomgr
479c7812d0ff: Already exists
5b3064dc8fe2: Already exists
Digest: sha256:d359b7e6e2b870542500dc00967ca2c5a4e78c8f1658b5c6dbdc8330effe38f8
Status: Downloaded newer image for ghcr.io/interlynk-io/sbomgr:latest

A new version of sbomgr is available v0.0.6.

Matching file count: 3153
Matching package count: 716953

Search flags

Packages

This section explains the flags relevant to the packages search feature. The packages search takes only a single argument, either a file or a directory. There are man flags which can be specified to control its behaviour.

Match Criteria

• -N or --name used for package/component name search.
• -C or --cpe used for package/component cpe search.
• -P or --purl used for pacakge/component purl search.
• -H or --checksum used for package/component checksum value search.

all of these match criteria are exclusive to each other.

Patter Matching

• -E or --extended-regexp flag can be used to indicate if the match criteria is a regular expression. Syntax supported is https://github.com/google/re2/wiki/Syntax.

Matching Control

• -i or --ignore-case case insensitive matching.

Output Control

• -l or --license this includes the license of the package/component in the output.
• -q or --quiet this suppresses all output of the tool, the return value of the tool is 0 indicating success, if it finds the search criteria.
• --no-filename removes the filename from the output.
• -j or --jsonl outputs the search results in jsonl.
• -p or --print-errors includes errors encoundered during searching. Default is to ignore them.
• -O or --output-format user-defined output format. Options are listed below
  • filen - filepath
  • tooln - tool with which sbom was generated, only prints the first one
  • toolv - tool version
  • docn - sbom document name
  • docv - sbom document version
  • cpe - package cpe, only prints the first one, indicates how many cpe's exists.
  • purl - package purl
  • pkgn - package name
  • pkgv - package version
  • pkgl - package licenses
  • specn - spec of the sbom document, spdx or cdx.
  • chkn - checksum name
  • chkv - checksum value

Stats Control

• -c or --count suppresses the normal output and print matching counts of sbom filenames and packages.

Directory Control

• -r or --recurse when set, recursively scans all sub directories.

Spec Control

• --spdx searches only files which are SPDX.
• --cdx searches only files which are CycloneDX.

Future work

• Search using files.
• Search using tool metadata.
• Search using CVE-ID.
• Search only direct dependencies.
• Search until a specified depth.
• Provide a list of malicious packages

SBOM Samples

• A sample set of SBOM is present in the samples directory above.
• SBOM Benchmark is a repository of SBOM and quality score for most popular containers and repositories
• SBOM Explorer is a command line utility to search and pull SBOMs

Installation

Using Prebuilt binaries

https://github.com/interlynk-io/sbomgr/releases

Using Homebrew

brew tap interlynk-io/interlynk
brew install sbomgr

Using Go install

go install github.com/interlynk-io/sbomgr@latest

Using repo

This approach involves cloning the repo and building it.

1. Clone the repo git clone [email protected]:interlynk-io/sbomgr.git
2. cd into sbomgr folder
3. make build
4. To test if the build was successful run the following command ./build/sbomgr version

Contributions

We look forward to your contributions, below are a few guidelines on how to submit them

• Fork the repo
• Create your feature/bug branch (git checkout -b feature/new-feature)
• Commit your changes (git commit -am "awesome new feature")
• Push your changes (git push origin feature/new-feature)
• Create a new pull-request

Other SBOM Open Source tools

• SBOM Assembler - A tool to compose a single SBOM by combining other (part) SBOMs
• SBOM Quality Score - A tool for evaluating the quality and completeness of SBOMs
• SBOM Search Tool - A tool to grep style semantic search in SBOMs
• SBOM Explorer - A tool for discovering and downloading SBOM from a public repository

Contact

We appreciate all feedback. The best ways to get in touch with us:

• :phone: Live Chat
• 📫 Email Us
• 🐛 Report a bug or enhancement
• :x: Follow us on X

Stargazers

If you like this project, please support us by starring it.