SIT

SIT is an accurate, compliant SBOM generator with incremental construction.

SIT

       _____ _____ _______ 
      / ____|_   _|__   __|
     | (___   | |    | |   
      \___ \  | |    | |   
      ____) |_| |_   | |   
     |_____/|_____|  |_|   
            

Usage:
  python -m SIT [-v] [--server] <subcommand> ...

Generate Software Bill of Materials (SBOM) for a software package.

Options:
  -v, --version  show program's version number and exit
  --server       Start SIT server mode

subcommands:
  <subcommand>
    generate     Generate SBOM for a software package
    merge        Merge SBOMs
    export       Export Sub-SBOM
    convert      Convert SBOM between different formats

The tool is available at github.

Introduction

SIT is an accurate, compliant SBOM generator with incremental construction.

Installation

We provide two ways for users to use SIT: deploying locally by installing all necessary libraries, or using Docker.

Deploy locally

We use poetry to manage dependencies. Make sure you have poetry installed.

pip install poetry

Clone the repository and install the dependencies.

git clone 
cd SIT
poetry install  # install dependencies
poetry shell  # activate the virtual environment
python3 -m SIT --help  # check if SIT is installed successfully

Deploy with Docker

Check the Docker installation guide to install Docker on your machine.

Pull the docker image of SIT.

docker pull gmscofield/sit:latest

Run the container.

docker run --rm -it -p 9020:9020 \
  -v $(pwd)/input:/input \
  gmscofield/sit [--server] <subcommand> ...

The --rm argument automatically removes the container after it stops.

Commands

Server Mode

To run SIT as a server, invoke SIT with --server argument. By default, it listens to port 9020.

python -m SIT --server

Generate Command

Generate an SBOM for the given Python package.

Usage:
  python -m SIT generate [options]

Options:
  -i <INPUT>, --input <INPUT>
                        Input path of software package, default is current path
  -o <OUTPUT>, --output <OUTPUT>
                        Output file path of SBOM, default is stdout
  --model <MODEL>       SBOM Model, choose from SPDX, CycloneDX, OSSBOM or middleware, default is middleware
  --env <ENVIRONMENT>   Running environment of software package, default is None

Examples

If you deploy SIT locally:

python -m SIT generate -i /input/project -o /output/sbom.json --model spdx --env /input/project/env

If you use SIT docker:

docker run --rm -v /localpath/input/project:/input -v /localpath/output:/output gmscofield/sit generate -i /input -o /output/sbom.json --model spdx --env /input/env

Merge Command

Merge two SBOMs.

Usage:
  python -m SIT merge [options]

Options:
  -i <INPUT> <INPUT>, --input <INPUT> <INPUT>
                        Input path of SBOMs to be merged, 2 SBOMs are required. The first one is the root SBOM and the second one is sub-
                        SBOM, currently only support json format
  -o <OUTPUT>, --output <OUTPUT>
                        Output file path of SBOM, default is stdout
  --model <MODEL>       SBOM Model, choose from SPDX, CycloneDX, OSSBOM or middleware, default is middleware

Examples

If you deploy SIT locally:

python -m SIT merge -i /input/sbom1.json /input/sbom2.json -o /output/sbom.json --model spdx

If you use SIT docker:

docker run --rm -v /localpath/input:/input -v /localpath/output:/output gmscofield/sit merge -i /input/sbom1.json /input/sbom2.json -o /output/sbom.json --model spdx

Export Command

Export a sub-SBOM from a given SBOM.

Usage:
  python -m SIT export [options]

Options:
  -i <INPUT>, --input <INPUT>
                        Path of SBOM file to be exported
  -o <OUTPUT>, --output <OUTPUT>
                        Output file path of SBOM, default is stdout
  --id <ID> [<ID> ...]  ID of the top-level Component to be exported
  --model <MODEL>       SBOM Model, choose from SPDX, CycloneDX, OSSBOM or middleware, default is middleware

Examples

If you deploy SIT locally:

python -m SIT export -i /input/sbom.json -o /output/sbom.json --id package-id --model spdx

If you use SIT docker:

docker run --rm -v /localpath/input:/input -v /localpath/output:/output gmscofield/sit export -i /input/sbom.json -o /output/sbom.json --id package-id --model spdx

Convert Command

Convert an SBOM between different SBOM formats.

Usage:
  python -m SIT convert [options]

Options:
  -i <INPUT>, --input <INPUT>
                        Input path of SBOM file to be converted
  -o <OUTPUT>, --output <OUTPUT>
                        Output file path of SBOM, default is stdout
  --model <MODEL>       SBOM Model, choose from SPDX, CycloneDX, OSSBOM or middleware, default is middleware

Examples

If you deploy SIT locally:

python -m SIT convert -i /input/sbom.json -o /output/sbom.json --model spdx

If you use SIT docker:

docker run --rm -v /localpath/input:/input -v /localpath/output:/output gmscofield/sit convert -i /input/sbom.json -o /output/sbom.json --model spdx

License and Acknowledgements

SIT is licensed under Mulan PSL v2. See LICENSE for details.