Skip to content
/ obom Public
forked from notation-playground/obom

Tool to push SBOM as an OCI artifact

License

MIT license
0 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

yizha1/obom

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
cmd
cmd
 
 
examples
examples
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

SPDX to OCI Artiafact

This is a simple tool to convert a SPDX to a OCI Artifact and push the SPFX to a target registry with annotations.

Build

Run make to build the binary or use the following command to build the binary.

go build -ldflags "-s -w" -o obom main.go

Install

go get github.com/sajayantony/obom

Usage

View the SBOM to validate it.

$ obom show -f ./examples/SPDXJSONExample-v2.3.spdx.json
================================================================================
Document Name:         SPDX-Tools-v2.0
DataLicense:           CC0-1.0
Document Namespace:    http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
SPDX Version:          SPDX-2.3
Packages:              4
Files:                 5
Digest:                sha256:2de3741a7be1be5f5e54e837524f2ec627fedfb82307dc004ae03b195abc092f
================================================================================

Convert the SBOM to OCI Artifact

$ obom push -f ./examples/SPDXJSONExample-v2.3.spdx.json localhost:5001/spdx:example
================================================================================
Document Name:         SPDX-Tools-v2.0
DataLicense:           CC0-1.0
Document Namespace:    http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301
SPDX Version:          SPDX-2.3
Packages:              4
Files:                 5
Digest:                sha256:2de3741a7be1be5f5e54e837524f2ec627fedfb82307dc004ae03b195abc092f
================================================================================
Adding ./examples/SPDXJSONExample-v2.3.spdx.json: sha256:2de3741a7be1be5f5e54e837524f2ec627fedfb82307dc004ae03b195abc092f
Pushing localhost:5001/spdx:example sha256:07cc47f237cca9b699f2aba6d2684a20ece88268492e577194394030ca52e3de

View the OCI Artifact

$ oras manifest get localhost:5001/spdx/annotations:test --pretty
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "text/spdx",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2
  },
  "layers": [
    {
      "mediaType": "text/spdx",
      "digest": "sha256:2de3741a7be1be5f5e54e837524f2ec627fedfb82307dc004ae03b195abc092f",
      "size": 21342,
      "annotations": {
        "org.opencontainers.image.title": "./examples/SPDXJSONExample-v2.3.spdx.json"
      }
    }
  ],
  "annotations": {
    "org.opencontainers.image.created": "2023-05-10T19:43:14Z",
    "org.spdx.license": "CC0-1.0",
    "org.spdx.name": "SPDX-Tools-v2.0",
    "org.spdx.namespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301",
    "org.spdx.version": "SPDX-2.3"
  }
}

List packages

$ obom packages -f ./temp/manifest.spdx.json | head -5
pkg:nuget/Microsoft.Extensions.Configuration.Json@3.1.4
pkg:nuget/Microsoft.Extensions.FileProviders.Abstractions@3.1.4
pkg:nuget/Microsoft.Extensions.Configuration.Binder@3.1.4
pkg:nuget/Microsoft.Azure.Storage.Blob@11.1.2
pkg:nuget/Microsoft.Azure.Storage.File@11.1.2

About

Tool to push SBOM as an OCI artifact

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v0.0.3 Latest
May 16, 2023
+ 2 releases

Packages

No packages published

Languages

  • Go 93.8%
  • Makefile 4.5%
  • Dockerfile 1.7%