-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgenerate-sbom.py
More file actions
112 lines (109 loc) · 4 KB
/
generate-sbom.py
File metadata and controls
112 lines (109 loc) · 4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/env python3
"""Generate an SPDX 2.3 SBOM for the how project."""
import json
import uuid
from datetime import datetime, timezone
sbom = {
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "how",
"documentNamespace": f"https://github.com/matlimatli/how/spdx/{uuid.uuid4()}",
"creationInfo": {
"created": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
"creators": ["Tool: scripts/generate-sbom.py"],
"licenseListVersion": "3.25",
},
"packages": [
{
"SPDXID": "SPDXRef-Package-how",
"name": "how",
"versionInfo": "1.0.0",
"supplier": "Person: Mattias Lindblad",
"downloadLocation": "https://github.com/matlimatli/how",
"filesAnalyzed": False,
"licenseConcluded": "MIT",
"licenseDeclared": "MIT",
"copyrightText": "Copyright (c) 2026 Mattias Lindblad",
"primaryPackagePurpose": "APPLICATION",
},
{
"SPDXID": "SPDXRef-Package-libcurl",
"name": "libcurl",
"versionInfo": "system",
"supplier": "Organization: curl project",
"downloadLocation": "https://curl.se/",
"filesAnalyzed": False,
"licenseConcluded": "curl",
"licenseDeclared": "curl",
"copyrightText": "Copyright (c) Daniel Stenberg",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:generic/libcurl",
}
],
},
{
"SPDXID": "SPDXRef-Package-nlohmann-json",
"name": "nlohmann-json",
"versionInfo": "3.12.0",
"supplier": "Person: Niels Lohmann",
"downloadLocation": "https://github.com/nlohmann/json/archive/refs/tags/v3.12.0.tar.gz",
"filesAnalyzed": False,
"licenseConcluded": "MIT",
"licenseDeclared": "MIT",
"copyrightText": "Copyright (c) 2013-2025 Niels Lohmann",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:github/nlohmann/json@v3.12.0",
}
],
},
{
"SPDXID": "SPDXRef-Package-googletest",
"name": "googletest",
"versionInfo": "1.17.0",
"supplier": "Organization: Google LLC",
"downloadLocation": "https://github.com/google/googletest/archive/refs/tags/v1.17.0.tar.gz",
"filesAnalyzed": False,
"licenseConcluded": "BSD-3-Clause",
"licenseDeclared": "BSD-3-Clause",
"copyrightText": "Copyright 2008 Google Inc.",
"comment": "Build-time only dependency (unit tests).",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:github/google/googletest@v1.17.0",
}
],
},
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-Package-how",
"relationshipType": "DESCRIBES",
},
{
"spdxElementId": "SPDXRef-Package-how",
"relatedSpdxElement": "SPDXRef-Package-libcurl",
"relationshipType": "DEPENDS_ON",
},
{
"spdxElementId": "SPDXRef-Package-how",
"relatedSpdxElement": "SPDXRef-Package-nlohmann-json",
"relationshipType": "DEPENDS_ON",
},
{
"spdxElementId": "SPDXRef-Package-how",
"relatedSpdxElement": "SPDXRef-Package-googletest",
"relationshipType": "DEV_DEPENDENCY_OF",
},
],
}
print(json.dumps(sbom, indent=2))