sbom-tool下载及使用详解

已于 2022-08-19 21:04:19 修改
阅读量2.7k 收藏 3
点赞数 1
分类专栏: SBOM 文章标签: SBOM
于 2022-08-19 15:00:16 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/phmatthaus/article/details/126424771
版权

github地址

GitHub - microsoft/sbom-tool: The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.

简介

SBOM工具是一个高度可扩展的企业级工具,用来为各种工件创建SPDX 2.2兼容的SBOM。

下载及安装

由于笔者的环境是Ubuntu,因此选择Linux下载方式。具体命令为:

curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
chmod +x sbom-tool

注:命令会下载到当前路径下,因此可以在运行命令之前选择好目标路径。

运行

查看帮助

运行带-h参数的指令,以查看用法,如下所示:

$ ./sbom-tool -h

The Sbom tool generates a SBOM for any build artifact.

Usage - Microsoft.Sbom.Tool <action> -options

GlobalOption    Description
Help (-?, -h)   Prints this help message

Actions

  Validate -options - Validate a build artifact using the manifest. Optionally also verify the signing certificate of the manfiest.

    Option                   Description
    BuildDropPath (-b)       The root folder of the drop directory to validate.
    ManifestDirPath (-m)     The path of the directory where the manifest will be validated. If this parameter is not specified, the manifest will be validated in {BuildDropPath}/_manifest directory.
    OutputPath (-o)          The path where the output json should be written.
    CatalogFilePath (-C)     The path of signed catalog file that is used to verify the signature of the manifest json file.
    ValidateSignature (-s)   If set, will validate the manifest using the signed catalog file.
    IgnoreMissing (-im)      If set, will not fail validation on the files presented in Manifest but missing on the disk.
    RootPathFilter (-r)      If you're downloading only a part of the drop using the '-r' or 'root' parameter in the drop client, specify the same string value here in order to skip validating paths that
                             are not downloaded.
    HashAlgorithm (-Ha)      The Hash algorithm to use while verifying or generating the hash value of a file
    Verbosity (-V)           Display this amount of detail in the logging output.
                             Verbose
                             Debug
                             Information
                             Warning
                             Error
                             Fatal
    Parallelism (-P)         The number of parallel threads to use for the workflows.
    ConfigFilePath (-Co)     The json file that contains the configuration for the DropValidator.
    TelemetryFilePath (-t)   Specify a file where we should write detailed telemetry for the workflow.
    FollowSymlinks (-F)      If set to false, we will not follow symlinks while traversing the build drop folder. Default is set to 'true'.
    ManifestInfo (-mi)       A list of the name and version of the manifest format that we are using.

  Generate -options - Generate a SBOM for all the files in the given build drop folder, and the packages in the components path.

    Option                                    Description
    BuildDropPath (-b)                        The root folder of the drop directory for which the SBOM file will be generated.
    BuildComponentPath (-bc)                  The folder containing the build components and packages.
    BuildListFile (-bl)                       The file path to a file containing a list of files one file per line for which the SBOM file will be generated. Only files listed in the file will be
                                              inlcuded in the generated SBOM.
    ManifestDirPath (-m)                      The path of the directory where the generated SBOM files will be placed. A folder named '_manifest' will be created at this location, where all generated
                                              SBOMs will be placed. If this parameter is not specified, the files will be placed in {BuildDropPath}/_manifest directory.
    PackageName (-pn)                         The name of the package this SBOM represents. If this is not provided, we will try to infer this name from the build that generated this package, if that
                                              also fails, the SBOM generation fails.
    PackageVersion (-pv)                      The version of the package this SBOM represents. If this is not provided, we will try to infer the version from the build that generated this package, if
                                              that also fails, the SBOM generation fails.
    DockerImagesToScan (-di)                  Comma separated list of docker image names or hashes to be scanned for packages, ex: ubuntu:16.04, 56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298
                                              369ab.
    AdditionalComponentDetectorArgs (-cd)     Additional set of arguments for Component Detector.  An appropriate usage of this would be a space-delimited list of `--key value` pairs, respresenting
                                              command-line switches.
    ExternalDocumentReferenceListFile (-er)   The path to a file containing a list of external SBOMs that will be included as external document reference in the output SBOM. SPDX 2.2 is the only
                                              supported format for now.
    NamespaceUriUniquePart (-nsu)             A unique valid URI part that will be appended to the SPDX SBOM namespace URI. This value should be globally unique.
    NamespaceUriBase (-nsb)                   The base path of the SBOM namespace URI.
    GenerationTimestamp (-gt)                 A timestamp in the format 'yyyy-MM-ddTHH:mm:ssZ' that will be used as the generated timestamp for the SBOM.
    DeleteManifestDirIfPresent (-D)           If set to true, we will delete any previous manifest directories that are already present in the ManifestDirPath without asking the user for confirmation.
                                              The new manifest directory will then be created at this location and the generated SBOM will be stored there.
    Verbosity (-V)                            Display this amount of detail in the logging output.
                                              Verbose
                                              Debug
                                              Information
                                              Warning
                                              Error
                                              Fatal
    Parallelism (-P)                          The number of parallel threads to use for the workflows.
    ConfigFilePath (-C)                       The json file that contains the configuration for the DropValidator.
    TelemetryFilePath (-t)                    Specify a file where we should write detailed telemetry for the workflow.
    FollowSymlinks (-F)                       If set to false, we will not follow symlinks while traversing the build drop folder. Default is set to 'true'.
    ManifestInfo (-mi)                        A list of the name and version of the manifest format that we are using.

生成SBOM

运行以下命令以对某一文件夹生成SBOM:

generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -nsb <namespace uri base>

具体命令及结果如下:

$ ./sbom-tool generate -b ./dst_dir/ -bc ./glibc-2.36/ -pn glibc -pv 1.0 -nsb http://ftp.gnu.org/pub/gnu/glibc/

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

[INFO] Log file: /tmp/GovCompDisc_Log_20220819151906.log 
[INFO] Run correlation id: 58189840-a22b-4447-a735-da59e3eab41e 

[INFO] Attempting to load default detectors 
[INFO] 19 detectors were found in Microsoft.ComponentDetection.Detectors
 
[WARN] Provided search path /var/tmp/.net/ph/sbom-tool/gudhhs1u.p03/Plugins does not exist. 


[INFO] Finding components... 
[INFO] Starting enumeration of /home/ph/dingdao/glibc-2.36/ 
[INFO] No instructions received to scan docker images. 
[INFO] Enumerated 19221 files and 716 directories in 00:00:00.9775240 
[INFO]  
[INFO] _______________________________________________________________________________________________________________________________________ 
[INFO] |Component Detector Id         |Detection Time                |# Components Found            |# Explicitly Referenced                 | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |CocoaPods                     |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Go                            |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Gradle                        |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Ivy (Beta)                    |0.048 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Linux                         |0.031 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |MvnCli                        |0.048 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Npm                           |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |NpmWithRoots                  |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |NuGet                         |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |NuGetProjectCentric           |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Pip                           |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Pnpm                          |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Ruby                          |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |RustCrateDetector             |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |RustCrateV2Detector           |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |SPDX22SBOM                    |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Yarn                          |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Total                         |1 seconds                     |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO]  

[INFO] Detection time: 1.0169676 seconds. 
[INFO] Scan Manifest file: /tmp/ScanManifest_20220819151906.json 
No usable version of libssl was found
已放弃 (核心已转储)

获得更详细的过程,命令及结果如下:

$ ./sbom-tool generate -b ./dst_dir/ -bc ./evtest_1.35.orig/ -pn glibc -pv 1.0 -nsb https://launchpad.net/ubuntu/+source/evtest/1:1.35-1 -V Verbose
##[debug]Starting SBOM generation workflow.
##[debug]Using the CGScannedExternalDocumentReferenceFileProvider provider for the files workflow.
##[debug]Scanning for packages under the root path ./evtest_1.35.orig/.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

[INFO] Log file: /tmp/GovCompDisc_Log_20220819153154.log 
[INFO] Run correlation id: 97ab0cf4-e985-4b8f-aee8-8a1cd632f8b6 

[INFO] Attempting to load default detectors 
[INFO] 19 detectors were found in Microsoft.ComponentDetection.Detectors
 
[WARN] Provided search path /var/tmp/.net/ph/sbom-tool/gudhhs1u.p03/Plugins does not exist. 
[VERBOSE] Finished applying restrictions to detectors. 


[INFO] Finding components... 
[VERBOSE] shrinkwrap.yaml:pnpm-lock.yaml 
[VERBOSE] Cargo.lock 
[VERBOSE] Gemfile.lock 
[VERBOSE] Cargo.lock 
[VERBOSE] yarn.lock 
[VERBOSE] *.spdx.json 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Pnpm.PnpmComponentDetector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Ruby.RubyComponentDetector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Yarn.YarnLockComponentDetector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Spdx.Spdx22ComponentDetector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Rust.RustCrateV2Detector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Rust.RustCrateDetector 
[VERBOSE] project.assets.json 
[VERBOSE] setup.py:requirements.txt 
[VERBOSE] package.json 
[VERBOSE] *.nupkg:*.nuspec:nuget.config 
[VERBOSE] Podfile.lock 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.NuGet.NuGetProjectModelProjectCentricComponentDetector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Pip.PipComponentDetector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Npm.NpmComponentDetector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.NuGet.NuGetComponentDetector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.CocoaPods.PodComponentDetector 
[VERBOSE] package-lock.json:npm-shrinkwrap.json:lerna.json 
[VERBOSE] go.mod:go.sum 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Npm.NpmComponentDetectorWithRoots 
[VERBOSE] pom.xml 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Go.GoComponentDetector 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Maven.MvnCliComponentDetector 
[VERBOSE] *.lockfile 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Gradle.GradleComponentDetector 
[INFO] Starting enumeration of /home/ph/dingdao/evtest_1.35.orig/ 
[INFO] No instructions received to scan docker images. 
[VERBOSE] ivy.xml 
[VERBOSE] Registered Microsoft.ComponentDetection.Detectors.Ivy.IvyDetector 
[VERBOSE] Skipping Ivy detection as ant is not available in the local PATH. 
[VERBOSE] Skipping maven detection as maven is not available in the local PATH. 
[INFO] Enumerated 8 files and 0 directories in 00:00:00.0159805 
[INFO]  
[INFO] _______________________________________________________________________________________________________________________________________ 
[INFO] |Component Detector Id         |Detection Time                |# Components Found            |# Explicitly Referenced                 | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |CocoaPods                     |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Go                            |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Gradle                        |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Ivy (Beta)                    |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Linux                         |0.031 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |MvnCli                        |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Npm                           |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |NpmWithRoots                  |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |NuGet                         |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |NuGetProjectCentric           |0.046 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Pip                           |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Pnpm                          |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Ruby                          |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |RustCrateDetector             |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |RustCrateV2Detector           |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |SPDX22SBOM                    |0.044 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Yarn                          |0.045 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO] |Total                         |0.055 seconds                 |0                             |0                                       | 
[INFO] |______________________________|______________________________|______________________________|________________________________________| 
[INFO]  

[INFO] Detection time: 0.0547157 seconds. 
[INFO] Scan Manifest file: /tmp/ScanManifest_20220819153154.json 
##[debug]Using the DirectoryTraversingFileToJsonProvider provider for the files workflow.
##[debug]Enumerating files under the root path ./dst_dir/.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the CGScannedPackagesProvider provider for the packages workflow.
##[debug]Scanning for packages under the root path ./evtest_1.35.orig/.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using cached CD scan result for the call with the same arguments
##[debug]Wrote 0 package elements in the SBOM.
##[debug]Found value for header PackageName in internal metadata.
##[debug]Found value for header PackageVersion in internal metadata.
No usable version of libssl was found
已放弃 (核心已转储)

KubeClarity 是一种用于检测和管理软件物料清单 (SBOM) 和包含漏洞的工具_go_代码_下载
06-15
KubeClarity 是一种用于检测和管理软件物料清单 (SBOM) 以及容器映像和文件系统漏洞的工具。它扫描运行时 K8s 集群和 CI/CD 管道,以增强软件供应链的安全性。 SBOM 和漏洞检测挑战 有效的漏洞扫描需要准确的软件物料清单 (SBOM) 检测: 各种编程语言和包管理器 各种操作系统发行版 包依赖信息通常在构建时被剥离 哪一款是最好的扫描仪/SBOM 分析仪? 我们应该扫描什么:Git 存储库、构建、容器映像或运行时? 每个扫描仪/分析仪都有自己的格式 - 如何比较结果? 如何管理已发现的 SBOM 和漏洞? 我的应用程序如何受到新发现的漏洞的影响? 解决方案 将漏洞扫描分为两个阶段: 生成 SBOM 的内容分析 扫描 SBOM 以查找漏洞 创建可插拔基础架构以: 并行运行多个内容分析器 并行运行多个漏洞扫描程序 使用 KubeClarity CLI 在不同 CI 阶段之间扫描和合并结果 运行时 K8s 扫描以检测部署后发现的漏洞 在定义的应用程序下对扫描的资源(图像/目录)进行分组,以导航对象树依赖项(应用程序、资源、包、漏洞)
SBOM-TOOL 是通过源码仓库、代码指纹、构建环境、制品信息、制品内容、依赖组件等多种维度信息,为软件项目生成软件物料清单(SBOM)的一款CLI工具
11-21
SBOM-TOOL 是通过源码仓库、代码指纹、构建环境、制品信息、制品内容、依赖组件等多种维度信息,为软件项目生成软件物料清单(SBOM)的一款CLI工具。采集源代码工程信息,包括仓库地址、版本信息等。采集并生成代码...
微软开源 SBOM 生成工具:sbom-tool下载使用详解
dahuamiao111的博客
03-01 1620
SBOM
SBOM Tool
最新发布
xixixixixixixi21的博客
02-25 340
SBOM Tool 即软件物料清单工具,用于详细列出软件系统中的组件,将识别和记录软件系统中每一个外部代码或内部模块的过程自动化,为软件组件提供清晰的目录,以确保软件开发和维护的透明度2。
【算法工程】强化推理模型局限性之解决linux下Aspose.slides提示No usable version of libssl found
源泉的小广场
02-14 875
文档解析、RAG、pptx解析、Aspose、linux镜像、openssl、大模型、强化推理短板
SBOM 工具使用教程
gitblog_00554的博客
08-07 1113
SBOM 工具使用教程 sbom-toolThe SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.项目地址:https://gitcode.com/gh_mirrors/sb/sbom-tool 项目介...
Microsoft SBOM 工具使用指南
gitblog_00088的博客
06-13 549
Microsoft SBOM 工具使用指南 sbom-tool The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts. ...
统信UOS软件包标识化工具deepin-sbom-tools使用
鹏大圣运维
07-10 881
Hello,大家好啊!今天给大家带来一篇关于在统信UOS上使用软件包标识化工具deepin-sbom-tools的文章。deepin-sbom-tools是一个强大的工具,可以帮助开发者和系统管理员更好地管理和追踪软件包信息。本文将详细介绍如何安装和使用deepin-sbom-tools。欢迎大家分享转发,点个关注和在看吧!
探索微软开源的SBOM工具:透明化供应链的安全基石
gitblog_00044的博客
03-26 598
探索微软开源的SBOM工具:透明化供应链的安全基石 sbom-toolThe SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.项目地址:https://gitcode.com/gh_mirrors/sb...
基于Java与Shell语言的apusic-sbom-tool设计源码
10-11
apusic-sbom-tool的设计理念是简化开发者的工作流程,提供一个易于使用且功能强大的工具来应对日益增长的软件供应链安全挑战。通过精确的数据分析和易读的报告输出,它让SBOM的生成变得更加高效和精确,满足现代软件...
SBOM-TOOL:打造全方位软件物料清单CLI工具
使用SBOM-TOOL可以帮助开发团队和运维团队更有效地管理软件供应链中的风险,例如识别和解决安全漏洞、确保合规性以及优化依赖管理。此外,SBOM还能够为DevOps工作流程带来效率提升,例如自动化安全和合规性检查,...
基于Go、Python、Swift多语言支持的SBOM生成工具设计源码
09-29
该项目是一款多语言支持的SBOM生成工具,核心使用Go语言编写,同时包含Python和Swift代码,共包含421个文件,涵盖多种文件类型,如Go源代码、JSON配置、Markdown文档等。SBOM-TOOL旨在通过整合源码仓库、代码指纹、构建环境、制品信息等多维度数据,为软件项目生成详尽的软件物料清单(SBOM)。该工具适用于各类软件开发和维护场景,旨在提高软件安全性和透明度。
SBOM-TOOL:全面生成软件项目物料清单的CLI工具
资源摘要信息:"SBOM-TOOL是一款旨在帮助开发者和运维人员通过多个维度信息生成软件物料清单(Software Bill of Materials, SBOM)的命令行界面(CLI)工具。该工具的目的是为了增强软件供应链的安全性和透明度,通过...
spdx-sbom-generator 安装
10-17
3. 使用以下命令来安装`spdx-sbom-generator`: ```bash pip install spdx-sbom-generator ``` 4. 等待安装完成。如果网络连接有问题,你可以尝试使用`pip install --upgrade --no-cache-dir spdx-sbom-generator`...
如何使用微软的开源工具生成 SBOM
学海无涯苦作舟的博客
10-05 3487
SBOM (软件物料清单)通过列出您的代码所依赖的软件包和供应商来帮助您了解您的软件供应链。SBOM 正迅速获得发展势头,作为在现实世界供应链受到重大攻击后帮助提高安全性的一种方式。SBOM 的主要支持者之一是微软,该公司早在 2021 年 10 月就发布了针对他们这一代的方法。今年早些时候,该公司开源了其用于在 Windows、macOS 和 Linux 上生成 SBOM 的工具。在本文中,您将学习如何开始使用该项目来索引代码的依赖项。它生成与 SPDX 兼容的文档,列出项目中的文件、包和关系。
供应链攻击日益严重,微软开源 SBOM 生成工具 Salus
dotNET跨平台
07-18 604
Software Package Data Exchange®(SPDX®)规范作为ISO/IEC 5962:2021发布,被认定为安全性、许可合规和其他软件供应链构件领域的国际开放标准。ISO/IEC JTC 1是一个独立的非政府标准机构。包括英特尔、微软、西门子、索尼、新思科技、VMware和WindRiver在内的众多公司已经使用SPDX在政策或工具中传达软件材料清...
京东云星光SBOM-TOOL荣获Gitee GVP,引领开源治理新时代
京东科技开发者
05-22 243
近期,继京东云SBOM工具在openKylin社区完成开源后,京东云星光产品SBOM-TOOL凭借其卓越性能和行业贡献,荣获Gitee最有价值开源项目(GVP)GVP(Gitee Most Valuable Project)最有价值开源项目计划,是Gitee综合评定出的优秀开源项目的展示平台,代表了开源项目的技术创新和高质量能力与水平。京东云星光SBOM-TOOL荣获此称号,不仅是对京东云星光产品...
SBOM(Software Bill of Materials,软件物料清单)
ejinxian的专栏
07-15 1163
Salus能够自动检测NPM、NuGet、PyPI、CocoaPods、Maven、Golang、RustCrates、RubyGems、容器内的Linux软件包、Gradle、Ivy和GitHub公共仓库。除此之外,Salus还可以参考其他SBOM文件,以获取更加完整的依赖关系。微软将Salus定位为「通用的、经过企业验证的SBOM生成器」,可以轻松集成到软件构建的工作流程中。微软开发的这个工具名为。...
CycloneDX Python SBOM Generation Tool:打造精准的软件物料清单
gitblog_00011的博客
06-02 482
CycloneDX Python SBOM Generation Tool:打造精准的软件物料清单 cyclonedx-pythonCreates CycloneDX Software Bill of Materials (SBOM) from Python projects and environments.项目地址:https://gitcode.com/gh_mirrors/cy/cycl...
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

蓝天居士

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值