Metadata-Version: 2.1
Name: sbom2doc
Version: 0.1.2
Summary: SBOM generator for Python modules
Home-page: https://github.com/anthonyharrison/sbom2doc
Author: Anthony Harrison
Author-email: anthony.p.harrison@gmail.com
Maintainer: Anthony Harrison
Maintainer-email: anthony.p.harrison@gmail.com
License: Apache-2.0
Keywords: documentation,tools,SBOM,DevSecOps,SPDX,CycloneDX
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Requires-Python: >=3.7
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: lib4sbom (>=0.3.0)
Requires-Dist: rich
Requires-Dist: reportlab

# SBOM2DOC

SBOM2DOC documents and summarises the components within an SBOM (Software Bill of Materials). SBOMS are supported in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).

## Installation

To install use the following command:

`pip install sbom2doc`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

## Usage

```
usage: sbom2doc [-h] [-i INPUT_FILE] [--debug] [-f {console,markdown,pdf}] [-o OUTPUT_FILE] [-V]

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -i INPUT_FILE, --input-file INPUT_FILE
                        Name of SBOM file

Output:
  --debug               add debug information
  -f {console,markdown,pdf}, --format {console,markdown,pdf}
                        Output format (default: output to console)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)

```
					
## Operation

The `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to
the following filename conventions.

| SBOM      | Format    | Filename extension |
| --------- | --------- |--------------------|
| SPDX      | TagValue  | .spdx              |
| SPDX      | JSON      | .spdx.json         |
| SPDX      | YAML      | .spdx.yaml         |
| SPDX      | YAML      | .spdx.yml          |
| CycloneDX | JSON      | .json              |

The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but it can be stored in a file (specified using `--output-file` option).

## Example

Given the following SBOM (flask.spdx)

```
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: flask
DocumentNamespace: http://spdx.org/spdxdocs/flask-529abb33-fcd0-4d40-9de8-38e97ff00df9
LicenseListVersion: 3.18
Creator: Tool: sbom4python-0.7.0
Created: 2023-01-27T16:16:26Z
CreatorComment: <text>This document has been automatically generated.</text>

PackageName: flask
SPDXID: SPDXRef-Package-1-flask
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/flask@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:flask:2.2.2:*:*:*:*:*:*:*

PackageName: click
SPDXID: SPDXRef-Package-2-click
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 8.0.3
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/click@8.0.3
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:click:8.0.3:*:*:*:*:*:*:*

PackageName: itsdangerous
SPDXID: SPDXRef-Package-3-itsdangerous
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/itsdangerous@2.1.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:itsdangerous:2.1.2:*:*:*:*:*:*:*

PackageName: jinja2
SPDXID: SPDXRef-Package-4-jinja2
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 3.0.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jinja2@3.0.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:jinja2:3.0.2:*:*:*:*:*:*:*

PackageName: markupsafe
SPDXID: SPDXRef-Package-5-markupsafe
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.1.1
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.1
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:markupsafe:2.1.1:*:*:*:*:*:*:*

PackageName: werkzeug
SPDXID: SPDXRef-Package-6-werkzeug
PackageSupplier: Person: Armin Ronacher (armin.ronacher@active-4.com)
PackageVersion: 2.2.2
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/werkzeug@2.2.2
ExternalRef: SECURITY cpe23Type cpe:2.3:a:armin_ronacher:werkzeug:2.2.2:*:*:*:*:*:*:*
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-1-flask
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-2-click
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-3-itsdangerous
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-4-jinja2
Relationship: SPDXRef-Package-1-flask DEPENDS_ON SPDXRef-Package-6-werkzeug
Relationship: SPDXRef-Package-4-jinja2 DEPENDS_ON SPDXRef-Package-5-markupsafe
Relationship: SPDXRef-Package-6-werkzeug DEPENDS_ON SPDXRef-Package-5-markupsafe

```

The following commands will generate a summary of the contents of the SBOM to the console.

```
sbom2doc --input flask.spdx 

╭──────────────╮
│ SBOM Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Item          ┃ Details                ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━┩
│ SBOM File     │ /tmp/flask.spdx        │
│ SBOM Type     │ spdx                   │
│ Version       │ SPDX-2.2               │
│ Name          │ flask                  │
│ Creator       │ Tool:sbom4python-0.7.0 │
│ Created       │ 2023-01-30T18:10:18Z   │
│ Files         │ 0                      │
│ Packages      │ 6                      │
│ Relationships │ 7                      │
└───────────────┴────────────────────────┘
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ Name         ┃ Version ┃ Supplier                                     ┃ License      ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ flask        │ 2.2.2   │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ click        │ 8.0.3   │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ itsdangerous │ 2.1.2   │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ jinja2       │ 3.0.2   │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ markupsafe   │ 2.1.1   │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
│ werkzeug     │ 2.2.2   │ Armin Ronacher (armin.ronacher@active-4.com) │ BSD-3-Clause │
└──────────────┴─────────┴──────────────────────────────────────────────┴──────────────┘
╭─────────────────╮
│ License Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━┓
┃ License      ┃ Count ┃
┡━━━━━━━━━━━━━━╇━━━━━━━┩
│ BSD-3-Clause │ 6     │
└──────────────┴───────┘
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┓
┃ Element                            ┃ Status ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━┩
│ All file information provided?     │ True   │
│ All package information provided?  │ True   │
│ Creator identified?                │ True   │
│ Creation time identified?          │ True   │
│ Dependency relationships provided? │ True   │
└────────────────────────────────────┴────────┘

NTIA conformant True
                                                                    
```

## Licence

Licenced under the Apache 2.0 Licence.

## Limitations

The tool has the following limitations

- SBOMs in RDF (SPDX) and XML (SPDX and CycloneDX) formats are not supported.

- Invalid SBOMs will result in unpredictable results.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.
