bomfactory
is a powerful command-line tool that simplifies and automates the process of downloading Software Bill of Materials (SBOMs) for multiple repositories. SBOMs are essential for software testing and security analysis, and bomfactory
streamlines the task of acquiring them efficiently.
Inspired by the criticality_score project, bomfactory
specifically targets critical projects, making it an indispensable tool for anyone involved in software security, testing, or research.
Working with thousands of SBOMs can be time-consuming and complex. We developed bomfactory
to facilitate the rapid acquisition of SBOMs, ensuring that important projects are well-supported. This tool was crucial in testing thousands of SBOMs for minefield, a simple graph database for managing dependencies. By leveraging Roaring Bitmaps, it allows for O(1) query performance on large datasets, significantly simplifying the process.
If you require a large collection of SBOMs for testing or research, check out the bom-silo repository, which was created using bomfactory
.
- Download Criticality Score CSV: Quickly download a CSV file containing criticality scores.
- Load CSV into SQLite: Import CSV data into an SQLite database for efficient querying.
- Advanced Querying: Perform complex queries on the SQLite database to identify repositories based on various criteria.
- Automated SBOM Downloads: Download SBOMs automatically for repositories that match your query criteria.
Note: Replace
~/temp
with the path to your preferred directory.
docker run --rm -v ~/temp:/app/data ghcr.io/bitbomdev/bomfactory download-csv -o /app/data/data.csv
docker run --rm -v ~/temp:/app/data ghcr.io/bitbomdev/bomfactory load -d /app/data/data.db -c /app/data/data.csv --start 1 --end 1000
docker run --rm -v ~/temp:/app/data ghcr.io/bitbomdev/bomfactory q -d /app/data/data.db -f "repo_language:=:Go"
docker run --rm -v ~/temp:/app/data ghcr.io/bitbomdev/bomfactory ds -d /app/data/data.db -f "repo_language:=:Go" --dir /app/data
The following example demonstrates how to download 1,000 SBOMs for Go repositories hosted on Google, skipping the first 9,000 repositories and downloading 10 SBOMs concurrently:
docker run --rm -v ~/temp:/app/data ghcr.io/bitbomdev/bomfactory ds --filter "repo_language:=:Go" --filter "repo_url:LIKE:%google/%" -m 1000 --dir /app/data/sboms/go -d /app/data/data.db -s 9000 --cd 10
Tip: For a complete dataset, ensure that you load the entire CSV data into the SQLite database before performing advanced queries.
To install bomfactory
, clone the repository and build the project:
git clone https://github.com/bitbomdev/bomfactory.git
cd bomfactory
make build
bomfactory download-csv --url https://www.googleapis.com/download/storage/v1/b/ossf-criticality-score/o/2024.07.05%2F143335%2Fall.csv?generation=1721362287412491&alt=media --output data.csv
bomfactory load --csv data.csv --db data.db --start 1 --end 0
bomfactory query --filter "repo_language:==:Go" --filter "repo_star_count:>:100" --db data.db
bomfactory download-sbom --filter "repo_language:==:Go" --token my_github_token --dir sbom_files --db data.db
We welcome contributions and feedback! If you have any questions or need assistance, feel free to open an issue in the repository.
This revised README improves readability and organization, ensuring that users can quickly understand the purpose of bomfactory
and how to use it effectively. Let me know if there's anything else you'd like to add or modify!