使用 SPDX Software Bill of Materials (SBOM) Generator 產生 SBOM

# 使用 SPDX Software Bill of Materials (SBOM) Generator 產生 SBOM https://github.com/opensbom-generator/spdx-sbom-generator 提醒：2023/5/12，官方說這個產生器還在開發中不見得很穩定，可能會有遇到問題，遇到的話再回官網去看討論。 ## spdx-sbom-generatoris 支援的類型 GoMod (go) Cargo (Rust) Composer (PHP) DotNet (.NET) Maven (Java) NPM (Node.js) Yarn (Node.js) PIP (Python) Pipenv (Python) Gems (Ruby) Swift Package Manager (Swift) 掃描 DotNet 專案的話是針對 ```.sln``` 掃描 ## 指令範例 ```spdx-sbom-generator_from.exe -o ./SBOM -i``` 想看完整說明可以用 -h 參數 ``` Output Package Manager dependency on SPDX format Usage: spdx-sbom-generator [flags] Flags: -f, --format string output file format (default: spdx) (default "spdx") -h, --help help for spdx-sbom-generator -i, --include-license-text Include full license text (default: false) -o, --output-dir string <output> directory to Write SPDX to file (default: current directory) (default ".") -p, --path string the path to package file or the path to a directory which will be recursively analyzed for the package files (default '.') (default ".") -s, --schema string <version> Target schema version (default: '2.2') (default "2.2") ``` ## SPDX生成中的樣子在cmd執行指令 ```spdx-sbom-generator_from.exe -o ./SBOM -i```，執行過程如下 ``` PS C:\MyDotnetProjectName專案名稱> C:\MyDotnetProjectName專案名稱\spdx-sbom-generator_from.exe -o ./SBOM -i INFO[2023-05-12T06:34:50+08:00] Starting to generate SPDX ... INFO[2023-05-12T06:34:50+08:00] Running generator for Module Manager: `nuget` with output `SBOM\bom-nuget.spdx` -12T06:34:50+08:00] Current Language Version 6.0.203 INFO[2023-05-12T06:34:50+08:00] trying to restore the packages: MyDotnetProjectName專案名稱.sln INFO[2023-05-12T06:34:52+08:00] looking for the project modules using location: MyDotnetProjectName專案名稱.sln INFO[2023-05-12T06:35:24+08:00] dependency tree completed for project(c): Bot Application1\Bot Application1.csproj INFO[2023-05-12T06:35:40+08:00] dependency tree completed for project(c): EFModel\EFModel.csproj NFO[2023-05-12T06:35:43+08:00] dependency tree completed for project(a): MyDotnetProjectName專案名稱\MyDotnetProjectName專案名稱.csproj INFO[2023-05-12T06:36:07+08:00] dependency tree completed for project(c): MVCallEFModel\MVCallEFModel.csproj INFO[2023-05-12T06:36:31+08:00] dependency tree completed for project(c): Mvc5HttpClientFactoryDemo-master\Mvc5HttpClientFactoryDemo\Mvc5HttpClientFactoryDemo.csproj INFO[2023-05-12T06:36:32+08:00] dependency tree completed for project(c): UnitTestProject1\UnitTestProject1.csproj INFO[2023-05-12T06:36:32+08:00] Command completed successful for below package managers INFO[2023-05-12T06:36:32+08:00] Plugin nuget generated output at SBOM\bom-nuget.spdx ``` ## 生成結果輸出位置會有一個 bom-nuget.spdx ，可以用記事本打開 ``` SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: MyDotnetProjectName專案名稱 DocumentNamespace: http://spdx.org/spdxpackages/MyDotnetProjectName專案名稱-8cc37cd0-5de1-420c-b626-91c15d5baf51 Creator: Tool: spdx-sbom-generator-v0.0.10 Created: 2023-05-11T22:36:32Z ##### Package representing the MyDotnetProjectName專案名稱 PackageName: MyDotnetProjectName專案名稱 SPDXID: SPDXRef-Package-MyDotnetProjectName專案名稱 PackageVersion: 752eb38 PackageSupplier: Organization: MyDotnetProjectName專案名稱 PackageDownloadLocation: git+https://www.Company.com/git/ FilesAnalyzed: false PackageChecksum: SHA256: 3f7393caa94541aa87ba3638e057afeb8cce35863f64c62d31c48ed0dad7d7ce PackageHomePage: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageLicenseComments: NOASSERTION PackageComment: NOASSERTION Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-MyDotnetProjectName專案名稱 ##### Package representing the Autofac PackageName: Autofac SPDXID: SPDXRef-Package-Autofac-3.5.2 PackageVersion: 3.5.2 PackageSupplier: Organization: Autofac Contributors PackageDownloadLocation: git+https://www.Company.com/git/ FilesAnalyzed: false PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 PackageHomePage: http://autofac.org PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageLicenseComments: NOASSERTION PackageComment: NOASSERTION ##### Package representing the Chronic.Signed PackageName: Chronic.Signed SPDXID: SPDXRef-Package-Chronic.Signed-0.3.2 PackageVersion: 0.3.2 PackageSupplier: Organization: Robert Wilczynski PackageDownloadLocation: git+https://www.Company.com/git/ FilesAnalyzed: false PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 PackageHomePage: https://github.com/robertwilczynski/nChronic PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageLicenseComments: NOASSERTION PackageComment: NOASSERTION ##### Package representing the LineBotSDK PackageName: LineBotSDK SPDXID: SPDXRef-Package-LineBotSDK-0.7.3 PackageVersion: 0.7.3 PackageSupplier: Organization: David Tung PackageDownloadLocation: git+https://www.Company.com/git/ FilesAnalyzed: false PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 PackageHomePage: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageLicenseComments: NOASSERTION PackageComment: NOASSERTION ##### Package representing the Microsoft.AspNet.WebApi PackageName: Microsoft.AspNet.WebApi SPDXID: SPDXRef-Package-Microsoft.AspNet.WebApi-5.2.3 PackageVersion: 5.2.3 PackageSupplier: Organization: Microsoft PackageDownloadLocation: git+https://www.Company.com/git/ FilesAnalyzed: false PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 PackageHomePage: http://www.asp.net/web-api PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageLicenseComments: NOASSERTION PackageComment: NOASSERTION ##### Package representing the Microsoft.AspNet.WebApi.Client PackageName: Microsoft.AspNet.WebApi.Client SPDXID: SPDXRef-Package-Microsoft.AspNet.WebApi.Client-5.2.3 PackageVersion: 5.2.3 PackageSupplier: Organization: Microsoft PackageDownloadLocation: git+https://www.Company.com/git/ FilesAnalyzed: false PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 PackageHomePage: http://www.asp.net/web-api PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageLicenseComments: NOASSERTION PackageComment: NOASSERTION ``` ###### tags: `資安`