Skip to content

Latest commit

 

History

History

sbom-production

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
SCANOSS
SCANOSS
 
 
bom
bom
 
 
build-info-go
build-info-go
 
 
cdxgen
cdxgen
 
 
cyclonedx-maven-plugin
cyclonedx-maven-plugin
 
 
dep-scan
dep-scan
 
 
jbom
jbom
 
 
maven-count-modules
maven-count-modules
 
 
maven-dependency-graph
maven-dependency-graph
 
 
openrewrite
openrewrite
 
 
ort
ort
 
 
sbom-tool
sbom-tool
 
 
scancode
scancode
 
 
spdx-maven-plugin
spdx-maven-plugin
 
 
spdx-sbom-generator
spdx-sbom-generator
 
 
spdx-tools
spdx-tools
 
 
study-subjects-env
study-subjects-env
 
 
swid-maven-plugin
swid-maven-plugin
 
 
syft
syft
 
 
README.md
README.md
 
 
bom.sh
bom.sh
 
 
build-info-go.sh
build-info-go.sh
 
 
cdxgen.sh
cdxgen.sh
 
 
cyclonedx-maven-plugin.sh
cyclonedx-maven-plugin.sh
 
 
cyclonedx.sh
cyclonedx.sh
 
 
depscan.sh
depscan.sh
 
 
generateAll.sh
generateAll.sh
 
 
jbom.sh
jbom.sh
 
 
maven-dependency-graph.sh
maven-dependency-graph.sh
 
 
maven-module-count.sh
maven-module-count.sh
 
 
openrewrite.sh
openrewrite.sh
 
 
ort.sh
ort.sh
 
 
sbom-tool.sh
sbom-tool.sh
 
 
scancode.sh
scancode.sh
 
 
scanoss.sh
scanoss.sh
 
 
spdx-maven-plugin.sh
spdx-maven-plugin.sh
 
 
spdx-sbom-generator.sh
spdx-sbom-generator.sh
 
 
spdx-tools.sh
spdx-tools.sh
 
 
swid-maven-plugin.sh
swid-maven-plugin.sh
 
 
syft.sh
syft.sh
 
 

README.md

SBOM Production

Format of this directory

It contains 3 types of files/folders.

  1. study-subjects-env. It contains details of all the study subjects.

    1. RepoUrl
    2. RepoName
    3. CommitHash

    These are passed as arguments to the docker image later.

  2. Folder based on tool name. Example: build-info-go. These folders contain at least a Dockerfile that outlines instructions to setup the producer so that it can be executed on the study subjects using the arguments above.

  3. Bash script based on tool name. Example: build-info-go.sh. Each script iterates over .env file and runs all the producers for it. It, finally, produces the SBOM file and puts it in results-march-2023/<study-subject>/<producer>.

Process

We run 6 SBOM producers on 26 projects.

  1. generateAll script is invoked.
  2. The script invokes respective script for each producer.
  3. SBOM is stored in results-march-2023/<study-subject>/<producer>.

Example SBOM

See SBOM for alluxio produced by cdxgen.