bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools. It focuses on supporting more complex SBOM operations on multiple SBOM files that represent systems by being opinionated on only supporting the NTIA minimum fields or other fields supported by protobom.
Note
This is an experimental project under active development. We'd love feedback on the concept, scope, and architecture!
- Work with multiple SBOMs in tree structures (through external references)
- Fetch and push SBOMs using multiple supported protocols
- Leverage a
.netrcfile to handle authentication - Manage SBOMs using a persistent database cache
- FUTURE - Manipulate SBOMs with commands like
diff,split, andredact - FUTURE - Interface with other OpenSSF projects and services like GUAC and Sigstore
- #bomctl on OpenSSF Slack
- OpenSSF Security Tooling Working Group Meeting - Every other Friday at 8am Pacific
- SBOM Tooling Working Meeting - Every Monday, 2pm Pacific
brew tap bomctl/bomctl && brew install bomctlContainer images for bomctl can be found on Docker Hub.
docker run bomctl/bomctl:latest --helpTo install bomctl, you need the following:
git clone https://github.com/bomctl/bomctl.git
cd bomctl| Platform | make Command |
task Command |
|---|---|---|
| linux/amd64 | make build-linux-amd |
task build:linux:amd |
| linux/arm | make build-linux-arm |
task build:linux:arm |
| windows/amd64 | make build-windows-amd |
task build:windows:amd |
| windows/arm | make build-windows-arm |
task build:windows:arm |
| darwin/amd64 | make build-macos-intel |
task build:macos:intel |
| darwin/arm | make build-macos-apple |
task build:macos:apple |
bomctl stores SBOMs in a cache database, this allows more complex cross SBOM document operations to exist. This is a fundemental concept; files are not directly modified, the cache is.
bomctl uses the protobom library to store the SBOM component graph in an SBOM agnostic format. When you interact with the bomctl cache, you are interacting with the protobom library.
- SBOMs are read and loaded into the cache
- Operations are performed on the cached SBOMs
- SBOMs are outputted out of the cache
Edit the alias for an SBOM document.
Note
An SBOM document can only have a single alias and each alias must be globally unique.
bomctl alias [command]
Subcommands:
list List all alias definitions
remove Remove the alias for a specific document
set Set the alias for a specific document
Flags:
-h, --help help for aliasExport stored SBOM(s) to filesystem
bomctl export [flags] SBOM_ID...
Flags:
-e, --encoding CHOICE Output encoding ('xml' supported for CycloneDX formats only) [json, xml] (default json)
-f, --format CHOICE Output format [original, spdx, spdx-2.3, cyclonedx, cyclonedx-1.0, cyclonedx-1.1, cyclonedx-1.2, cyclonedx-1.3, cyclonedx-1.4, cyclonedx-1.5, cyclonedx-1.6] (default original)
-h, --help help for export
-o, --output-file FILE Path to output fileAbility to retrieve SBOM files over several protocols and web APIs, including HTTPS, OCI, Git, GitHub, and GitLab.
bomctl fetch [flags] SBOM_URL...
Flags:
--alias string Readable identifier to apply to document
-h, --help help for fetch
--netrc Use .netrc file for authentication to remote hosts
-o, --output-file FILE Path to output file
--tag stringArray Tag(s) to apply to document (can be specified multiple times)This includes recursive loading of external references in an SBOM to other SBOMs and placing them into the persistent cache. If SBOMs are access controlled, a user's .netrc file can be used to authenticate.
The following example will fetch this CycloneDX SBOM that represents a container image and will then recursively fetch an externally referenced SBOM that represents an application within the container image.
bomctl fetch https://raw.githubusercontent.com/bomctl/bomctl-playground/main/examples/bomctl-container-image/bomctl_bomctl_v0.3.0.cdx.jsonAlternatively, use the following syntax to directly fetch the most recent dependency graph SBOM of a GitHub repository (In this case, the bomctl repository). This syntax works for both public and private repositories, although credentials will need to be provided via --netrc to access a private repo.
bomctl fetch https://github.com/bomctl/bomctlAn SBOM may also be fetched from a GitLab repository through the DependencyListExport web API by using the following URL format. Authorization for this command is configured by assigning the value of your GitLab token to the BOMCTL_GITLAB_TOKEN environment variable.
bomctl fetch https://www.gitlab.com/PROJECT/REPOSITORY@BRANCHImport SBOM files from either standard input or the local file system.
bomctl import [flags] { - | FILE...}
Flags:
--alias stringArray Readable identifier(s) to apply to imported document(s) (specify multiple times for multiple documents)
-h, --help help for import
--tag stringArray Tag(s) to apply to all imported documents (can be specified multiple times)Edit links between documents and/or nodes
bomctl link [command]
Subcommands:
add Add a link from a document or node to a document
clear Remove all links from specified documents and nodes
list List the links of a document or node
remove Remove specified links from a document or node
Flags:
-h, --help help for link
-t, --type CHOICE Type referenced by SRC_ID [node, document] (default node)List cached SBOM documents.
bomctl list [flags] SBOM_ID...
Aliases:
list, ls
Flags:
-h, --help help for list
--tag stringArray Tag(s) used to filter documents (can be specified multiple times)Merge specified cached SBOM documents.
bomctl merge [flags] DOCUMENT_ID...
Flags:
--alias string Readable identifier to apply to merged document
-h, --help help for merge
-n, --name string Name of merged document
--tag stringArray Tag(s) to apply to merged document (can be specified multiple times)Push stored SBOM file to remote URL or filesystem
bomctl push [flags] SBOM_ID DEST_PATH
Flags:
-e, --encoding CHOICE Output encoding ('xml' supported for CycloneDX formats only) [json, xml] (default json)
-f, --format CHOICE Output format [original, spdx, spdx-2.3, cyclonedx, cyclonedx-1.0, cyclonedx-1.1, cyclonedx-1.2, cyclonedx-1.3, cyclonedx-1.4, cyclonedx-1.5, cyclonedx-1.6] (default original)
-h, --help help for push
--netrc Use .netrc file for authentication to remote hosts
--tree Recursively push all SBOMs in external reference treeEdit the tags of an SBOM document.
bomctl tag [command]
Subcommands:
add Add tags to a document
clear Clear all tags from a document
list List the tags of a document
remove Remove specified tags from a document
Flags:
-h, --help help for tagThe project is focused on building an architecture that enables reading in, operating on, and reading out collections of SBOM files independent of format. This project requires an architecture that prioritizes the relationships between components in a SBOM document and between SBOM documents.
Once this architecture is established, more complex operations can be implemented. This operations include:
diff- Generating diffs between components and component dependencies
- Generating diffs of component properties
- Creating diffs in machine readable and human readable formats
enrich- Use the Transparency Exchange API to find enrich sbom components with additional data.
- Interface with GUAC
merge- Merge fields from similar components in two or more SBOM documents
- Merge components and component dependencies from two or more SBOM documents
- Flatten multiple SBOM document component dependencies into a single SBOM document
redact- Redact fields by regular expressions or field name while keeping traceability to the original document
split- Split an SBOM dependency tree into multiple files based on purl type or component identifier
trim- Trim an SBOM dependency tree based on purl type or component identifier
- Your suggestions too!
We use Architecture Decision Records to track key decisions on the architecture and implementation details of bomctl. Decisions that are proposed but not finalized have the adr label.
- Kubernetes bom is a utility that lets you create, view and transform Software Bills of Materials (SBOMs). bom was created as part of the project to create an SBOM for the Kubernetes project. It enables software authors to generate an SBOM for their projects in a simple, yet powerful way.
- CycloneDX sbom-utility was designed to be an API platform to validate, analyze and edit Bills-of-Materials (BOMs). Initially, it was created to validate either CycloneDX or SPDX-formatted BOMs against official, versioned JSON schemas as published by their respective standards communities.
- Hoppr is a Python plugin-based framework for collecting, processing, and bundling your software supply chain.
- sbommerge merges two Software Bill of Materials (SBOMs) documents together. It supports SBOMs created in both SPDX and CycloneDX formats.
Container images for bomctl can be found here and are signed
using keyless signing with cosign.
You can then verify this container image with cosign.
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/bomctl/bomctl/\.github/.+' bomctl/bomctl:latestbomctl releases can be found here and are signed
using keyless signing with cosign.
You can then verify this artifact with cosign.
cosign verify-blob --certificate ${artifact}-keyless.pem --signature ${artifact}-keyless.sig --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/bomctl/bomctl/\.github/.+' ${artifact}If the result is Verified OK, the verification is successful.
You can also look up the entry in the public Rekor instance using a sha256 hash.
shasum -a 256 bomctl_SNAPSHOT-3f16bdb_checksums.txt |awk '{print $1}'The printed hash can be used to look up the entry at https://search.sigstore.dev/.
Copyright © bomctl a Series of LF Projects, LLC For web site terms of use, trademark policy and other project policies please see https://lfprojects.org.