Metadata-Version: 2.1
Name: sbom4python
Version: 0.4.0
Summary: SBOM generator for Python modules
Home-page: https://github.com/anthonyharrison/sbom4python
Author: Anthony Harrison
Author-email: anthony.p.harrison@gmail.com
Maintainer: Anthony Harrison
Maintainer-email: anthony.p.harrison@gmail.com
License: Apache_2.0
Keywords: security,tools,SBOM,DevSecOps,SPDX,CycloneDX
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Requires-Python: >=3.7
Description-Content-Type: text/markdown
License-File: LICENSE

# SBOM4Python

The SBOM4Python is a free, open source tool to generate a
SBOM (Software Bill of Materials) for an installed Python module in a number of formats including
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
It identifies all of the dependent components which are
explicity defined (typically via requirements.txt file) or implicitly as a
hidden dependency.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained
and also to support subsequent audit needs to determine if a particular component (and version) has been used.

## Installation

To install use the following command:

`pip install sbom4python`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

## Usage

```
usage: sbom4python [-h] [-m MODULE] [--exclude-license] [-d]
                   [--sbom {spdx,cyclonedx}] [--format {tag,json}]
                   [-o OUTPUT_FILE] [-g GRAPH] [-V]
```

```
optional arguments:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -m MODULE, --module MODULE
                        identity of python module
  --exclude-license     suppress detecting the license of components

Output:
  -d, --debug           add debug information
  --sbom {spdx,cyclonedx}
                        specify type of software bill of materials (sbom) to
                        generate (default: spdx)
  --format {tag,json,xml}
                        specify format of software bill of materials (sbom) (default: tag)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)
  -g GRAPH, --graph GRAPH
                        filename for dependency graph
```
						
## Operation

The `--module` option is used to identify the Python module.

The `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option
can be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both
SPDX and CycloneDX SBOMs) and XML format is supported for CycloneDX SBOMs.

The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).

The tool attempts to determine the license of each module. This can be suppressed using the `--exclude-license` option in
which case all licences are reported as 'NOASSERTION'.

The `--graph` option is used to generate a dependency graph of the components within the SBOM. The format of the graph
file is compatible with the [DOT language](https://graphviz.org/doc/info/lang.html) used by the
[GraphViz](https://graphviz.org/) application.

## Licence

Licenced under the Apache 2.0 Licence.

The tool uses a local copy of the [SPDX Licenses List](https://github.com/spdx/license-list-data) which is released under
[Creative Commons Attribution 3.0 (CC-BY-3.0)](http://creativecommons.org/licenses/by/3.0/).

## Limitations

This tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the SBOM data
which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool
are therefore reminded that they should assert the quality of any data which is provided to the tool.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.
