Skip to content

Example code which reads an SBOM and retrieves information about the component libraries via Tidelift's APIs

License

Notifications You must be signed in to change notification settings

tidelift/sbom-to-api-tools

Folders and files

NameName
Last commit message
Last commit date

Latest commit

93d40e6 · Jan 14, 2025

History

14 Commits
Sep 3, 2024
Oct 10, 2024
Oct 10, 2024
Jun 3, 2024
Jun 3, 2024
Jun 3, 2024
Jun 3, 2024
Oct 10, 2024
Jun 3, 2024
Jan 14, 2025
Jan 14, 2025

Repository files navigation

This repository contains some examples of using the Tidelift APIs to gather information about open source library components.

The examples all use a CycloneDX sbom (in JSON format) as their entry point and then provide different outputs depending on the specific example.

Tagged releases are published on GitHub at https://github.com/tidelift/tidelift-sbom-info/releases and can be downloaded and run in your environment.

Current Commands

  • tidelift-sbom-analyzer: This takes a CycloneDX JSON file as the first argument and then outputs a CSV file with Tidelift's recommendations about the packages in the SBOM. Takes an optional argument of -o output.csv to write the output to a file.

  • tidelift-sbom-vulnerability-reporter: This takes a CycloneDX JSON file as the first argument and then outputs a JSON file with information about any known vulnerabilities in releases that are listed in the SBOM. Takes an optional argument of -o output.json to write the output to a file.

  • tidelift-sbom-reporter: This takes a CycloneDX JSON file as the first argument and then outputs a JSON file with information about any potential issue in releases that are listed in the SBOM. The format of the output is the same as the Tidelift All Projects Violations report. Issues shown include not just vulnerabilities, but also issues such as using end-of-life or deprecated software. Takes an optional argument of -o output.json to write the output to a file.

Contributing

While this is primarily intended to guide others in the use of the Tidelift API, contributions to adapt and enhance the existing tools are always welcome. Additional commands to provide different types of data are also welcome.

Building from source

If you want to build from source, you can do so by running make build. The commands then all live in the bin/ subdirectory.

If you need/want to build for an architecture that you're not running on, you can do any of make build-windows, make linux-x86, make linux-arm, make mac-arm, or make all-cross to build binaries for a different OS (or all) which then live in the named subdirectories of the bin/ subdirectory.