bom
is a tiny utility that leverages the code written for the Kubernetes
Bill of Materials project. It enables software authors to generate an
SBOM for their projects in a simple, yet powerful way.
bom
is a general-purpose tool that can generate SPDX packages from
directories, container images, single files, and other sources. The utility
has a built-in license classifier that recognizes the 400+ licenses in
the SPDX catalog.
Other features include Golang dependency analysis and full .gitignore
support when scanning git repositories.
If you are looking for a way to create a bill of materials for your project, we have created a HOWTO guide to generating an SBOM.
The guide includes information about what a Bill of Materials is, the SPDX standard, and instructions to add files, images, directories, and other sources to your BOM.
To compile bom, clone the Kubernetes Release Engineering repository and
run the compile-tools
script:
git clone git@github.com:kubernetes/release.git
cd release
./compile-release-tools
The following examples show how bom can process different sources to generate an SPDX Bill of Materials. Multiple sources can be combined to get a document describing different packages.
To process a directory as a source for your SBOM, use the -d
flag or simply pass
the path as the first argument to bom
:
bom generate -n http://example.com/ .
This example pulls the kube-apiserver image, analyzes it, and describes in the SBOM. Each of its layers are then expressed as a subpackage in the resulting document:
bom generate -n http://example.com/ --image k8s.gcr.io/kube-apiserver:v1.21.0
You can create an SBOM with just files in the manifest. For that, use -f
:
bom generate -n http://example.com/ \
-f Makefile \
-f file1.exe \
-f document.md \
-f other/file.txt