bomctl

README

bomctl

bomctl is format-agnostic Software Bill of Materials (SBOM) tooling, which is intended to bridge the gap between SBOM generation and SBOM analysis tools. It focuses on supporting more complex SBOM operations by being opinionated on only supporting the NTIA minimum fields or other fields supported by protobom.

[!NOTE] This is an experimental project under active development. We'd love feedback on the concept, scope, and architecture!

Features

• Work with multiple SBOMs in tree structures (through external references)
• Fetch and push SBOMs using HTTPS, OCI, and GIT protocols
• Leverage a .netrc file to handle authentication
• Manipulate SBOMs with commands like diff, split, and redact
• Manage SBOMs using a persistent database cache
• Interface with OpenSSF projects and services like GUAC and Sigstore

Join our Community

• #bomctl on OpenSSF Slack
• OpenSSF Security Tooling Working Group Meeting - Every two weeks on Friday, 8am Pacific
• SBOM Tooling Working Meeting - Every Monday, 2pm Pacific

Commands

Fetch (Implemented)

Ability to retrieve an SBOM via several protocols:

• HTTP/S
• Git

and from various locations:

• Local Filesystem
• OCI

This includes recursive loading of external references in an SBOM to other SBOMs and placing them into the persistent cache. If SBOMs are access controlled, a user's .netrc file to authenticate.

Diff (Planned)

TBD

Lint (Planned)

TBD

List (Planned)

TBD

Merge (Planned)

TBD

Push (Planned)

TBD

Redact (Planned)

TBD

Split (Planned)

TBD

Trim (Planned)

TBD

Verifying Releases

Bomctl releases can be found here and are signed using keyless signing with cosign.

For each artifact there are two additional files:

• ${artifact}-keyless.sig - signature
• ${artifact}-keyless.pem - certificate

You can then verify this artifact with cosign using the signature and the certificate.

cosign verify-blob --certificate ${artifact}-keyless.pem --signature ${artifact}-keyless.sig --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/bomctl/bomctl/\.github/.+'  ${artifact}

If the result is Verified OK, the verification is successful.

You can also look up the entry in the public Rekor instance using a sha256 hash.

shasum -a 256 bomctl_SNAPSHOT-3f16bdb_checksums.txt |awk '{print $1}'

The printed hash can be used to look up the entry at https://search.sigstore.dev/.

Documentation

Overview

------------------------------------------------------------------------ SPDX-FileCopyrightText: Copyright © 2024 bomctl authors SPDX-FileName: main.go SPDX-FileType: SOURCE SPDX-License-Identifier: Apache-2.0 ------------------------------------------------------------------------ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ------------------------------------------------------------------------