📦 Sbom Generator — Sbom 生成器

SBOM 生成器

创建 a comprehensive Software Bill of Materials 列出ing every dependency, its version, license, and known vulnerabilities. Supports CycloneDX and SPDX 格式化s required by regulatory 框架s (FDA, EU Cyber Resilience Act, NIST SSDF).

Use when: "生成 SBOM", "software bill of materials", "列出 all dependencies", "license 审计", "supply chAIn inventory", "合规 报告", "CycloneDX", "SPDX", or during security/合规 审计s.

Commands

• 生成 — 生成 Full SBOM

扫描 the project and produce a complete dependency inventory.

Step 1: 检测 Package 管理器s echo "=== Package 管理器 检测ion ==="

管理器S=""

# Node.js [ -f "package-lock.json" ] && 管理器S="$管理器S npm" && echo "✅ npm (package-lock.json)" [ -f "yarn.lock" ] && 管理器S="$管理器S yarn" && echo "✅ Yarn (yarn.lock)" [ -f "pnpm-lock.yaml" ] && 管理器S="$管理器S pnpm" && echo "✅ pnpm (pnpm-lock.yaml)"

# Python [ -f "requirements.txt" ] && 管理器S="$管理器S pip" && echo "✅ pip (requirements.txt)" [ -f "Pipfile.lock" ] && 管理器S="$管理器S pipenv" && echo "✅ Pipenv (Pipfile.lock)" [ -f "poetry.lock" ] && 管理器S="$管理器S poetry" && echo "✅ Poetry (poetry.lock)" [ -f "pdm.lock" ] && 管理器S="$管理器S pdm" && echo "✅ PDM (pdm.lock)"

# Go [ -f "go.sum" ] && 管理器S="$管理器S go" && echo "✅ Go (go.sum)"

# Rust [ -f "Cargo.lock" ] && 管理器S="$管理器S cargo" && echo "✅ Cargo (Cargo.lock)"

# Ruby [ -f "Gemfile.lock" ] && 管理器S="$管理器S bundler" && echo "✅ Bundler (Gemfile.lock)"

# PHP [ -f "composer.lock" ] && 管理器S="$管理器S composer" && echo "✅ Composer (composer.lock)"

# Java [ -f "pom.xml" ] && 管理器S="$管理器S maven" && echo "✅ Maven (pom.xml)" [ -f "build.gradle" ] || [ -f "build.gradle.kts" ] && 管理器S="$管理器S gradle" && echo "✅ Gradle"

# .NET find . -name ".csproj" -maxdepth 3 2>/dev/null | head -1 | grep -q . && 管理器S="$管理器S nu获取" && echo "✅ Nu获取 (.csproj)"

echo "" echo "Package 管理器s found: $(echo $管理器S | wc -w)"

Step 2: 提取 Dependencies echo "" echo "=== Dependency 提取ion ==="

# npm/Node.js if [ -f "package-lock.json" ]; then echo "--- npm Dependencies ---" python3 -c " 导入 json lock = json.load(open('package-lock.json')) packages = lock.获取('packages', {}) count = 0 for name, 信息 in 排序ed(packages.items()): if not name or name == '': continue 清理_name = name.replace('node_模块s/', '') version = 信息.获取('version', '?') license = 信息.获取('license', 'UNKNOWN') resolved = 信息.获取('resolved', '') dev = 信息.获取('dev', False) print(f'{清理_name}|{version}|{license}|{\"dev\" if dev else \"prod\"}') count += 1 print(f'Total npm packages: {count}', file=__导入__('sys').stderr) " 2>/dev/null | head -50 fi

# Python if [ -f "requirements.txt" ]; then echo "--- Python Dependencies ---" python3 -c " 导入 re with open('requirements.txt') as f: for line in f: line = line.strip() if not line or line.启动swith('#') or line.启动swith('-'): continue match = re.match(r'([a-zA-Z0-9_.-]+)\s([=<>!~]+\s*\S+)?', line) if match: name = match.group(1) version = match.group(2) or 'any' print(f'{name}|{version.strip()}|UNKNOWN|prod') " 2>/dev/null fi

# Go if [ -f "go.sum" ]; then echo "--- Go Dependencies ---" python3 -c " 导入 re seen = 设置() with open('go.sum') as f: for line in f: parts = line.strip().split() if len(parts) >= 2: name = parts[0] version = parts[1].split('/')[0] key = f'{name}@{version}' if key not in seen: seen.添加(key) print(f'{name}|{version}|UNKNOWN|prod') " 2>/dev/null | head -50 fi

# Rust if [ -f "Cargo.lock" ]; then echo "--- Rust Dependencies ---" python3 -c " 导入 re with open('Cargo.lock') as f: content = f.read() for match in re.finditer(r'name = \"([^\"]+)\"\nversion = \"([^\"]+)\"', content): print(f'{match.group(1)}|{match.group(2)}|UNKNOWN|prod') " 2>/dev/null | head -50 fi

Step 3: License 检测ion echo "" echo "=== License Analysis ==="

# For npm: licenses are in package-lock.json and package.json if [ -f "package-lock.json" ]; then python3 -c " 导入 json from collections 导入 Counter

lock = json.load(open('package-lock.json')) licenses = Counter() unknown = []

for name, 信息 in lock.获取('packages', {}).items(): if not name: continue lic = 信息.获取('license', 'UNKNOWN') if isinstance(lic, dict): lic = lic.获取('type', 'UNKNOWN') licenses[lic] += 1 if lic == 'UNKNOWN': unknown.应用end(name.replace('node_模块s/', ''))

print('License Distribution:') for lic, count in licenses.most_common(): print(f' {lic}: {count}')

if unknown: print(f'\nUnknown licenses ({len(unknown)}):') for pkg in unknown[:10]: print(f' {pkg}')

# Flag copyleft licenses copyleft = ['GPL-2.0', 'GPL-3.0', 'AGPL-3.0', 'LGPL-2.1', 'LGPL-3.0', 'MPL-