Top 8 Python sbom Projects
-
scancode-toolkit
:mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
-
cve-bin-tool
The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
tern
Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more. (by tern-tools)
-
dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Project mention: ScanCode: Scan license and packages, dependencies and origin information | news.ycombinator.com | 2023-08-11
Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05Depscan v5 is the first opensource SCA tool that can perform precision reachability analysis for Java, JavaScript/TypeScript, and Python applications to triage and prioritize the results. We invented an automatic symbols tagger, a lightweight data-flow analyzer, and a static slicer to compute all reachable flows with or without vulnerabilities. We open-sourced all our work, including the specification.
Something like Meta Package Manager? https://github.com/kdeldycke/meta-package-manager
Project mention: Releasing AGPL3 project: SPDX vs full notice text and other questions | /r/gnu | 2023-06-01The SPDX header is due to a project called REUSE, which is spearheaded by the FSF Europe. You can read more about the project here. Basically you just have to add the copyright header in the format
Project mention: Wolfi: A community Linux OS designed for the container and cloud-native era | news.ycombinator.com | 2023-06-27I'm not sure what you mean by "non-trivial" but here's a simple discord bot I wrote in python, that I distribute as an OCI image and that is built with Nix for both x86_64 and aarch64 linux via GitHub actions: https://github.com/starcraft66/attention-attention
There is no SBOM because I didn't bother publishing one but the way Nix builds derivations, you basically get the SBOM for free. You could use a tool like sbomnix[1] to trivially generate an SPDX-format SBOM from the nix derivation that builds the container image.
Project mention: Show HN: Manage SBOM vulnerabilities analysis like source code | news.ycombinator.com | 2023-06-08
Python sbom related posts
Index
What are some of the best open-source sbom projects in Python? This list will help you:
| Project | Stars | |
|---|---|---|
| 1 | scancode-toolkit | 1,966 |
| 2 | cve-bin-tool | 1,061 |
| 3 | tern | 930 |
| 4 | dep-scan | 694 |
| 5 | meta-package-manager | 432 |
| 6 | reuse-tool | 342 |
| 7 | sbomnix | 95 |
| 8 | bogrod | 8 |