debsbom generate

Synopsis

debsbom generate [-h] [-o OUT] [--distro-name DISTRO_NAME]
                 [--distro-supplier DISTRO_SUPPLIER]
                 [--distro-version DISTRO_VERSION]
                 [--distro-summary DISTRO_SUMMARY]
                 [--base-distro-vendor {debian,ubuntu}]
                 [--cdx-standard {default,standard-bom}]
                 [--spdx-namespace SPDX_NAMESPACE]
                 [--cdx-serialnumber CDX_SERIALNUMBER] [--timestamp TIMESTAMP]
                 [--add-meta-data key=value] [--validate] [-t {cdx,spdx}]
                 [-r ROOT] [--from-pkglist] [--distro-arch DISTRO_ARCH]
                 [--with-licenses] [--recommends-deps | --no-recommends-deps]
                 [--suggests-deps | --no-suggests-deps]

Description

Generate a sbom for a debian system

The command creates comprehensive SBOMs that include all installed software packages and their dependencies. This command can be executed in an air-gapped environment.

Options

Named Arguments

-o='sbom', --out='sbom'

filename for output (default: ‘sbom’). Use ‘-’ to write to stdout

--distro-name='Debian'

distro name (default: ‘Debian’)

--distro-supplier

supplier for the root component

--distro-version

version for the root component

--distro-summary

short description of distro component (single line)

--base-distro-vendor='debian'

vendor of debian distribution (debian or ubuntu)

Possible choices: debian, ubuntu

--cdx-standard='default'

generate SBOM according to this spec (only for CDX)

Possible choices: default, standard-bom

--spdx-namespace

document namespace, must be a valid URI (only for SPDX)

--cdx-serialnumber

document serial number, must be a UUID in 8-4-4-4-12 format (only for CDX)

--timestamp

document timestamp in ISO 8601 format

--add-meta-data

add arbitrary metadata properties to the SBOM

--validate=False

validate generated SBOM (only for SPDX)

-t, --sbom-type

SBOM type to generate, can be passed multiple times (default: all)

Possible choices: cdx, spdx

-r='/', --root='/'

root directory to look for dpkg status file and apt cache

--from-pkglist=False

create SBOM from a package list passed via stdin

--distro-arch='auto'

native dpkg architecture of the distro (‘auto’)

--with-licenses=False

parse and include license information

--recommends-deps=True, --no-recommends-deps=True

track recommended package dependencies (default: True)

--suggests-deps=False, --no-suggests-deps=False

track suggested package dependencies (default: False)

SEE ALSO

debsbom-decisions(1)

DEBSBOM

Part of the debsbom(1) suite.