Metadata-Version: 2.1
Name: sbom4windows
Version: 0.1.0
Summary: SBOM generator for Windows installation
Home-page: https://github.com/anthonyharrison/sbom4windows
Author: Anthony Harrison
Author-email: anthony.p.harrison@gmail.com
Maintainer: Anthony Harrison
Maintainer-email: anthony.p.harrison@gmail.com
License: Apache-2.0
Keywords: security,tools,SBOM,DevSecOps,SPDX,CycloneDX,Microsoft,Windows
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: lib4sbom>=0.8.0
Requires-Dist: pefile

# SBOM4windows
The SBOM4Windows is a free, open source tool to generate a 
SBOM (Software Bill of Materials) for a Windows installation in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).

## Installation

To install use the following command:

`pip install sbom4windows`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.9+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

#### Linux based system

SBOM4Windows requires additional utilities to manipulate the various Windows files which need to be installed using a package manager, for example

```bash
apt install msitools
apt install cabextract
apt install p7zip-full
```

If the utilities are not found, the application will fail.

## Usage

```bash
usage: sbom4windows [-h] [--directory DIRECTORY] [--system] [-n NAME] [-d] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V]

SBOM4Windows generates a Software Bill of Materials for a windows installation.

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  --directory DIRECTORY
                        root directory
  --system              include all installed modules within system
  -n NAME, --name NAME  Name of installation

Output:
  -d, --debug           add debug information
  --sbom {spdx,cyclonedx}
                        specify type of sbom to generate (default: spdx)
  --format {tag,json,yaml}
                        specify format of software bill of materials (sbom) (default: tag)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)
```
						
## Operation

The `--directory` option is used to specify the root directory of the system files. The `--system` option is only used on Windows based systems and will generate a SBOM for all installed system files.
One of `--directory` or `--system` must be specified.

The `--name` option is used to provide a descriptive name for the installation.

The `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option
can be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both
SPDX and CycloneDX SBOMs).

The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).

## Licence

Licenced under the Apache 2.0 Licence.

The tool uses a local copy of the [SPDX Licenses List](https://github.com/spdx/license-list-data) which is released under
[Creative Commons Attribution 3.0 (CC-BY-3.0)](http://creativecommons.org/licenses/by/3.0/).

## Limitations

The usefulness of the tool is dependent on the data which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool
are therefore reminded that they should assert the quality of any data which is provided to the tool.

The tool uses information contained within various files including .CAB, .MSI, .EXE and .DLL files to create the SBOM. Data files are ignored. The location of each component is included when the
dependecy is found within the files within the directory structure which is being processed.

When processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct [SPDX License Identifiers](https://spdx.org/licenses/). However, the
user of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

