Skip to content
/ spack-sbom Public

Generate a software bill of materials (SBOM) for a spack package

2 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

spack/spack-sbom

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
examples
examples
 
 
README.md
README.md
 
 
spack-sbom.py
spack-sbom.py
 
 

Repository files navigation

Spack SBOM

A dummy example of generating a Software Bill of Materials (SBOM) for a spack package.

Usage

Make sure that spack is on your path, and then do:

$ spack python spack-sbom.py zlib
{
    "bomFormat": "CycloneDX",
    "specVersion": "1.3",
    "serialNumber": "urn:uuid:2dbecd32-b9bf-4679-bacd-87efba4ef557",
    "version": 1,
    "metadata": {
        "timestamp": "2021-11-28T18:56:11Z",
        "tools": [
            {
                "vendor": "Lawrence Livermore National Lab",
                "name": "Spack",
                "version": "0.16.0-3994-d9ea572a4b"
            }
        ],
        "authors": [
            {
                "name": "@vsoch",
                "email": "vsoch@users.noreply.github.com"
            }
        ],
        "component": {
            "type": "lib",
            "scope": "required",
            "name": "zlib",
            "mime-type": "application/vnd.spack.package",
            "group": "spack.io",
            "version": "1.2.11",
            "bom-ref": "zlib@1.2.11%gcc@9.3.0+optimize+pic+shared arch=linux-ubuntu20.04-skylake",
            "description": "A free, general-purpose, legally unencumbered lossless data-compression\nlibrary.\n",
            "hashes": [
                {
                    "alg": "SHA-256",
                    "cotent": "c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1"
                }
            ],
            "externalReferences": [
                {
                    "type": "website",
                    "url": "https://zlib.net/fossils/zlib-1.2.11.tar.gz"
                }
            ],
            "properties": {
                "spack:build_hash": "3kmnsdv36qxm3slmcyrb326gkghsp6px",
                "spack:dag_hash": "3kmnsdv36qxm3slmcyrb326gkghsp6px",
                "spack:spec": "zlib@1.2.11%gcc@9.3.0+optimize+pic+shared arch=linux-ubuntu20.04-skylake",
                "spack:build_spec": "zlib@1.2.11%gcc@9.3.0+optimize+pic+shared arch=linux-ubuntu20.04-skylake",
                "spack:architecture": "linux-ubuntu20.04-skylake",
                "spack:variants": "+optimize+pic+shared",
                "spack:compiler": "gcc@9.3.0"
            }
        },
        "licenses": [
            {
                "license": {
                    "name": "MIT"
                }
            },
            {
                "license": {
                    "name": "Apache-2.0"
                }
            }
        ]
    },
    "externalReferences": [
        {
            "type": "website",
            "url": "https://github.com/spack/spack"
        },
        {
            "type": "website",
            "url": "https://spack.github.io/packages"
        }
    ]
}

A few examples are provided, each generated as follows:

$ spack python spack-sbom.py zlib > examples/zlib.json

And that's it! If you have any feedback, please open an issue. It's not clear if this will ever be desired by the spack community (and if so, when) so in the meantime it can live here as a little spack script that is fairly easy to use if you need it. Please open an issue for discussion or suggesting changes!

About

Generate a software bill of materials (SBOM) for a spack package

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

6 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages