SIT is an accurate, compliant SBOM generator with incremental construction.
SIT
_____ _____ _______
/ ____|_ _|__ __|
| (___ | | | |
\___ \ | | | |
____) |_| |_ | |
|_____/|_____| |_|
Usage:
python -m SIT [-v] [--server] <subcommand> ...
Generate Software Bill of Materials (SBOM) for a software package.
Options:
-v, --version show program's version number and exit
--server Start SIT server mode
subcommands:
<subcommand>
generate Generate SBOM for a software package
merge Merge SBOMs
export Export Sub-SBOM
convert Convert SBOM between different formats
The tool is available at github.
Introduction
SIT is an accurate, compliant SBOM generator with incremental construction.
Installation
We provide two ways for users to use SIT: deploying locally by installing all necessary libraries, or using Docker.
Deploy locally
We use poetry to manage dependencies. Make sure you have poetry installed.
pip install poetry
Clone the repository and install the dependencies.
git clone
cd SIT
poetry install # install dependencies
poetry shell # activate the virtual environment
python3 -m SIT --help # check if SIT is installed successfully
Deploy with Docker
Check the Docker installation guide to install Docker on your machine.
Pull the docker image of SIT.
docker pull gmscofield/sit:latest
Run the container.
docker run --rm -it -p 9020:9020 \
-v $(pwd)/input:/input \
gmscofield/sit [--server] <subcommand> ...
The --rm
argument automatically removes the container after it stops.
Commands
Server Mode
To run SIT as a server, invoke SIT with --server
argument. By default, it listens to port 9020
.
python -m SIT --server
Generate Command
Generate an SBOM for the given Python package.
Usage:
python -m SIT generate [options]
Options:
-i <INPUT>, --input <INPUT>
Input path of software package, default is current path
-o <OUTPUT>, --output <OUTPUT>
Output file path of SBOM, default is stdout
--model <MODEL> SBOM Model, choose from SPDX, CycloneDX, OSSBOM or middleware, default is middleware
--env <ENVIRONMENT> Running environment of software package, default is None
Examples
If you deploy SIT locally:
python -m SIT generate -i /input/project -o /output/sbom.json --model spdx --env /input/project/env
If you use SIT docker:
docker run --rm -v /localpath/input/project:/input -v /localpath/output:/output gmscofield/sit generate -i /input -o /output/sbom.json --model spdx --env /input/env
Merge Command
Merge two SBOMs.
Usage:
python -m SIT merge [options]
Options:
-i <INPUT> <INPUT>, --input <INPUT> <INPUT>
Input path of SBOMs to be merged, 2 SBOMs are required. The first one is the root SBOM and the second one is sub-
SBOM, currently only support json format
-o <OUTPUT>, --output <OUTPUT>
Output file path of SBOM, default is stdout
--model <MODEL> SBOM Model, choose from SPDX, CycloneDX, OSSBOM or middleware, default is middleware
Examples
If you deploy SIT locally:
python -m SIT merge -i /input/sbom1.json /input/sbom2.json -o /output/sbom.json --model spdx
If you use SIT docker:
docker run --rm -v /localpath/input:/input -v /localpath/output:/output gmscofield/sit merge -i /input/sbom1.json /input/sbom2.json -o /output/sbom.json --model spdx
Export Command
Export a sub-SBOM from a given SBOM.
Usage:
python -m SIT export [options]
Options:
-i <INPUT>, --input <INPUT>
Path of SBOM file to be exported
-o <OUTPUT>, --output <OUTPUT>
Output file path of SBOM, default is stdout
--id <ID> [<ID> ...] ID of the top-level Component to be exported
--model <MODEL> SBOM Model, choose from SPDX, CycloneDX, OSSBOM or middleware, default is middleware
Examples
If you deploy SIT locally:
python -m SIT export -i /input/sbom.json -o /output/sbom.json --id package-id --model spdx
If you use SIT docker:
docker run --rm -v /localpath/input:/input -v /localpath/output:/output gmscofield/sit export -i /input/sbom.json -o /output/sbom.json --id package-id --model spdx
Convert Command
Convert an SBOM between different SBOM formats.
Usage:
python -m SIT convert [options]
Options:
-i <INPUT>, --input <INPUT>
Input path of SBOM file to be converted
-o <OUTPUT>, --output <OUTPUT>
Output file path of SBOM, default is stdout
--model <MODEL> SBOM Model, choose from SPDX, CycloneDX, OSSBOM or middleware, default is middleware
Examples
If you deploy SIT locally:
python -m SIT convert -i /input/sbom.json -o /output/sbom.json --model spdx
If you use SIT docker:
docker run --rm -v /localpath/input:/input -v /localpath/output:/output gmscofield/sit convert -i /input/sbom.json -o /output/sbom.json --model spdx
License and Acknowledgements
SIT is licensed under Mulan PSL v2. See LICENSE for details.