# 使用 SPDX Software Bill of Materials (SBOM) Generator 產生 SBOM
https://github.com/opensbom-generator/spdx-sbom-generator
提醒:2023/5/12,官方說這個產生器還在開發中不見得很穩定,可能會有遇到問題,遇到的話再回官網去看討論。
## spdx-sbom-generatoris 支援的類型
GoMod (go)
Cargo (Rust)
Composer (PHP)
DotNet (.NET)
Maven (Java)
NPM (Node.js)
Yarn (Node.js)
PIP (Python)
Pipenv (Python)
Gems (Ruby)
Swift Package Manager (Swift)
掃描 DotNet 專案的話是針對 ```.sln``` 掃描
## 指令範例
```spdx-sbom-generator_from.exe -o ./SBOM -i```
想看完整說明可以用 -h 參數
```
Output Package Manager dependency on SPDX format
Usage:
spdx-sbom-generator [flags]
Flags:
-f, --format string output file format (default: spdx) (default "spdx")
-h, --help help for spdx-sbom-generator
-i, --include-license-text Include full license text (default: false)
-o, --output-dir string <output> directory to Write SPDX to file (default: current directory) (default ".")
-p, --path string the path to package file or the path to a directory which will be recursively analyzed for the package files (default '.') (default ".")
-s, --schema string <version> Target schema version (default: '2.2') (default "2.2")
```
## SPDX生成中的樣子
在cmd執行指令 ```spdx-sbom-generator_from.exe -o ./SBOM -i```,執行過程如下
```
PS C:\MyDotnetProjectName專案名稱> C:\MyDotnetProjectName專案名稱\spdx-sbom-generator_from.exe -o ./SBOM -i
INFO[2023-05-12T06:34:50+08:00] Starting to generate SPDX ...
INFO[2023-05-12T06:34:50+08:00] Running generator for Module Manager: `nuget` with output `SBOM\bom-nuget.spdx`
-12T06:34:50+08:00] Current Language Version 6.0.203
INFO[2023-05-12T06:34:50+08:00] trying to restore the packages: MyDotnetProjectName專案名稱.sln
INFO[2023-05-12T06:34:52+08:00] looking for the project modules using location: MyDotnetProjectName專案名稱.sln
INFO[2023-05-12T06:35:24+08:00] dependency tree completed for project(c): Bot Application1\Bot Application1.csproj
INFO[2023-05-12T06:35:40+08:00] dependency tree completed for project(c): EFModel\EFModel.csproj
NFO[2023-05-12T06:35:43+08:00] dependency tree completed for project(a): MyDotnetProjectName專案名稱\MyDotnetProjectName專案名稱.csproj
INFO[2023-05-12T06:36:07+08:00] dependency tree completed for project(c): MVCallEFModel\MVCallEFModel.csproj
INFO[2023-05-12T06:36:31+08:00] dependency tree completed for project(c): Mvc5HttpClientFactoryDemo-master\Mvc5HttpClientFactoryDemo\Mvc5HttpClientFactoryDemo.csproj
INFO[2023-05-12T06:36:32+08:00] dependency tree completed for project(c): UnitTestProject1\UnitTestProject1.csproj
INFO[2023-05-12T06:36:32+08:00] Command completed successful for below package managers
INFO[2023-05-12T06:36:32+08:00] Plugin nuget generated output at SBOM\bom-nuget.spdx
```
## 生成結果
輸出位置會有一個 bom-nuget.spdx ,可以用記事本打開
```
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: MyDotnetProjectName專案名稱
DocumentNamespace: http://spdx.org/spdxpackages/MyDotnetProjectName專案名稱-8cc37cd0-5de1-420c-b626-91c15d5baf51
Creator: Tool: spdx-sbom-generator-v0.0.10
Created: 2023-05-11T22:36:32Z
##### Package representing the MyDotnetProjectName專案名稱
PackageName: MyDotnetProjectName專案名稱
SPDXID: SPDXRef-Package-MyDotnetProjectName專案名稱
PackageVersion: 752eb38
PackageSupplier: Organization: MyDotnetProjectName專案名稱
PackageDownloadLocation: git+https://www.Company.com/git/
FilesAnalyzed: false
PackageChecksum: SHA256: 3f7393caa94541aa87ba3638e057afeb8cce35863f64c62d31c48ed0dad7d7ce
PackageHomePage: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-MyDotnetProjectName專案名稱
##### Package representing the Autofac
PackageName: Autofac
SPDXID: SPDXRef-Package-Autofac-3.5.2
PackageVersion: 3.5.2
PackageSupplier: Organization: Autofac Contributors
PackageDownloadLocation: git+https://www.Company.com/git/
FilesAnalyzed: false
PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
PackageHomePage: http://autofac.org
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION
##### Package representing the Chronic.Signed
PackageName: Chronic.Signed
SPDXID: SPDXRef-Package-Chronic.Signed-0.3.2
PackageVersion: 0.3.2
PackageSupplier: Organization: Robert Wilczynski
PackageDownloadLocation: git+https://www.Company.com/git/
FilesAnalyzed: false
PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
PackageHomePage: https://github.com/robertwilczynski/nChronic
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION
##### Package representing the LineBotSDK
PackageName: LineBotSDK
SPDXID: SPDXRef-Package-LineBotSDK-0.7.3
PackageVersion: 0.7.3
PackageSupplier: Organization: David Tung
PackageDownloadLocation: git+https://www.Company.com/git/
FilesAnalyzed: false
PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
PackageHomePage: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION
##### Package representing the Microsoft.AspNet.WebApi
PackageName: Microsoft.AspNet.WebApi
SPDXID: SPDXRef-Package-Microsoft.AspNet.WebApi-5.2.3
PackageVersion: 5.2.3
PackageSupplier: Organization: Microsoft
PackageDownloadLocation: git+https://www.Company.com/git/
FilesAnalyzed: false
PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
PackageHomePage: http://www.asp.net/web-api
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION
##### Package representing the Microsoft.AspNet.WebApi.Client
PackageName: Microsoft.AspNet.WebApi.Client
SPDXID: SPDXRef-Package-Microsoft.AspNet.WebApi.Client-5.2.3
PackageVersion: 5.2.3
PackageSupplier: Organization: Microsoft
PackageDownloadLocation: git+https://www.Company.com/git/
FilesAnalyzed: false
PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
PackageHomePage: http://www.asp.net/web-api
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION
```
###### tags: `資安`
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
Connect another wallet