Generate Software Bill of Materials for R Things
A “Software Bill of Materials” (SBOM) is a nested inventory for software, a list of ingredients that make up software components. Tools are provided to make SBOMs for R things.
- Handle Licenses (PARTIAL SUPPORT EXISTS)
- Handle Authors (PARTIAL SUPPORT EXISTS)
- Get some buy-in on purls, BOM-refs, etc
- Handle non-CRAN packages
- Handle Shiny apps
- Handle R “projects”
- Dependency trees
- Handle system requirements & (generically) stuff in src
The following functions are implemented:
cran_pkg_sbom: Create a minimal SBOM for a CRAN R packagevalidate_sbom: Validate an SBOM using CycloneDX
remotes::install_github("hrbrmstr/sbom")NOTE: To use the ‘remotes’ install options you will need to have the {remotes} package installed.
library(sbom)
# current version
packageVersion("sbom")
## [1] '0.1.1'cat(x <- cran_pkg_sbom("ndjson"))
## {
## "bomFormat": "CycloneDX",
## "specVersion": "1.4",
## "serialNumber": "urn:uuid:61ceb100-9a3d-4ef9-bed7-66f7b2660ed2",
## "version": 1,
## "metadata": {
## "component": {
## "bom-ref": "pkg:cran/ndjson@0.8.0",
## "type": "library",
## "name": "ndjson",
## "version": "0.8.0",
## "description": "Wicked-Fast Streaming 'JSON' ('ndjson') Reader",
## "author": ["Bob Rudis; Niels Lohmann; Deepak Bandyopadhyay; Lutz Kettner"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "32f45d8ad99e244263701f157f800bd65faedb942852e3524898c6c1ffd7b522"
## }
## ],
## "purl": "pkg:cran/ndjson@0.8.0"
## }
## },
## "components": [
## {
## "bom-ref": "pkg:cran/Rcpp@1.0.8.3",
## "type": "library",
## "name": "Rcpp",
## "version": "1.0.8.3",
## "description": "Seamless R and C++ Integration",
## "author": ["Dirk Eddelbuettel; Romain Francois; JJ Allaire; Kevin Ushey; Qiang Kou; Nathan Russell; Inaki Ucar; Douglas Bates; John Chambers"],
## "group": "",
## "licenses": ["GPL-2.0-or-later"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "4e630aeffa99a4473c5527e11a63022e9ebbcce3d8e81e91599226d8e679bcd3"
## }
## ],
## "purl": "pkg:cran/Rcpp@1.0.8.3"
## },
## {
## "bom-ref": "pkg:cran/cli@3.3.0",
## "type": "library",
## "name": "cli",
## "version": "3.3.0",
## "description": "Helpers for Developing Command Line Interfaces",
## "author": ["Gábor Csárdi"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "ef535496f34b204723389b5b3f3787f073e647d8487979fac4a40e46a71ee03e"
## }
## ],
## "purl": "pkg:cran/cli@3.3.0"
## },
## {
## "bom-ref": "pkg:cran/crayon@1.5.1",
## "type": "library",
## "name": "crayon",
## "version": "1.5.1",
## "description": "Colored Terminal Output",
## "author": ["Gábor Csárdi"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "89020e016b4b00c8e69ca40293cabb2c165c5c857ffaebb464a582ca14a92dd4"
## }
## ],
## "purl": "pkg:cran/crayon@1.5.1"
## },
## {
## "bom-ref": "pkg:cran/data.table@1.14.2",
## "type": "library",
## "name": "data.table",
## "version": "1.14.2",
## "description": "Extension of `data.frame`",
## "author": ["Matt Dowle; Arun Srinivasan"],
## "group": "",
## "licenses": ["MPL-2.0"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "829e024afe09e709dd6e91cd7fb23f3c852a86e1d221a8b59ae94e802580e816"
## }
## ],
## "purl": "pkg:cran/data.table@1.14.2"
## },
## {
## "bom-ref": "pkg:cran/ellipsis@0.3.2",
## "type": "library",
## "name": "ellipsis",
## "version": "0.3.2",
## "description": "Tools for Working with ...",
## "author": ["Hadley Wickham"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "8e454cd38fac68bd1f539c55dff960965f9e1277d25033b9ebed4bb5b737f2b0"
## }
## ],
## "purl": "pkg:cran/ellipsis@0.3.2"
## },
## {
## "bom-ref": "pkg:cran/fansi@1.0.3",
## "type": "library",
## "name": "fansi",
## "version": "1.0.3",
## "description": "ANSI Control Sequence Aware String Functions",
## "author": ["Brodie Gaslam"],
## "group": "",
## "licenses": ["GPL-2.0-or-later"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "5cc8504e8af51ae3087ae3db80294929211dac474b1e9af9060a233c08751797"
## }
## ],
## "purl": "pkg:cran/fansi@1.0.3"
## },
## {
## "bom-ref": "pkg:cran/glue@1.6.2",
## "type": "library",
## "name": "glue",
## "version": "1.6.2",
## "description": "Interpreted String Literals",
## "author": ["Jim Hester; Jennifer Bryan"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "a52e5bccfa53b11b657dbae72909ec5e8558c9afc16729da1b3cb3986d859ca9"
## }
## ],
## "purl": "pkg:cran/glue@1.6.2"
## },
## {
## "bom-ref": "pkg:cran/lifecycle@1.0.1",
## "type": "library",
## "name": "lifecycle",
## "version": "1.0.1",
## "description": "Manage the Life Cycle of your Package Functions",
## "author": ["Lionel Henry; Hadley Wickham"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "e43014decbd5cdacd4f4148168e9fd9eca570ef61944a1cd0ec037b08bdb63da"
## }
## ],
## "purl": "pkg:cran/lifecycle@1.0.1"
## },
## {
## "bom-ref": "pkg:cran/magrittr@2.0.3",
## "type": "library",
## "name": "magrittr",
## "version": "2.0.3",
## "description": "A Forward-Pipe Operator for R",
## "author": ["Stefan Milton Bache; Hadley Wickham"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "7689d86dbcbc8d419ca1868a67a7d0a7cf5a38656060b904d9dff475865d5d48"
## }
## ],
## "purl": "pkg:cran/magrittr@2.0.3"
## },
## {
## "bom-ref": "pkg:cran/pillar@1.7.0",
## "type": "library",
## "name": "pillar",
## "version": "1.7.0",
## "description": "Coloured Formatting for Columns",
## "author": ["Kirill Müller; Hadley Wickham"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "dd10c024eb6fb1d566c1fc0d91f568e4f4b96d4f1b02663cac73719f84b714a0"
## }
## ],
## "purl": "pkg:cran/pillar@1.7.0"
## },
## {
## "bom-ref": "pkg:cran/pkgconfig@2.0.3",
## "type": "library",
## "name": "pkgconfig",
## "version": "2.0.3",
## "description": "Private Configuration for 'R' Packages",
## "author": ["Gábor Csárdi"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "6584b022a7abe3bc751331b9d3929250206d79eea51b0f3d3fd2d864f8010a0a"
## }
## ],
## "purl": "pkg:cran/pkgconfig@2.0.3"
## },
## {
## "bom-ref": "pkg:cran/rlang@1.0.2",
## "type": "library",
## "name": "rlang",
## "version": "1.0.2",
## "description": "Functions for Base Types and Core R and 'Tidyverse' Features",
## "author": ["Lionel Henry; Hadley Wickham"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "707309c5df72dbdbcb54621e655aea80c093459e48ed847856a98b03723cd397"
## }
## ],
## "purl": "pkg:cran/rlang@1.0.2"
## },
## {
## "bom-ref": "pkg:cran/tibble@3.1.7",
## "type": "library",
## "name": "tibble",
## "version": "3.1.7",
## "description": "Simple Data Frames",
## "author": ["Kirill Müller; Hadley Wickham"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "953828cd034fc93f31999e965ac32540a190fbaf0cd1c6bda78396717b67daeb"
## }
## ],
## "purl": "pkg:cran/tibble@3.1.7"
## },
## {
## "bom-ref": "pkg:cran/utf8@1.2.2",
## "type": "library",
## "name": "utf8",
## "version": "1.2.2",
## "description": "Unicode Text Processing",
## "author": ["Patrick O. Perry"],
## "group": "",
## "licenses": ["Apache-2.0"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "ebbc3f862ddd35bfe86f670e171f085286f37d54dfcdad1016cd5810373f29c5"
## }
## ],
## "purl": "pkg:cran/utf8@1.2.2"
## },
## {
## "bom-ref": "pkg:cran/vctrs@0.4.1",
## "type": "library",
## "name": "vctrs",
## "version": "0.4.1",
## "description": "Vector Helpers",
## "author": ["Hadley Wickham; Lionel Henry; Davis Vaughan"],
## "group": "",
## "licenses": ["MIT"],
## "hashes": [
## {
## "alg": "SHA-256",
## "content": "407633c4a836f7a1a74618f3d2c00d6ebd80bfed6d2b645c1bb63137459a5665"
## }
## ],
## "purl": "pkg:cran/vctrs@0.4.1"
## }
## ]
## }validate_sbom(text=x)
## [1] TRUE| Lang | # Files | (%) | LoC | (%) | Blank lines | (%) | # Lines | (%) |
|---|---|---|---|---|---|---|---|---|
| R | 5 | 0.31 | 136 | 0.38 | 23 | 0.22 | 683 | 0.47 |
| YAML | 2 | 0.12 | 35 | 0.10 | 10 | 0.09 | 2 | 0.00 |
| Rmd | 1 | 0.06 | 10 | 0.03 | 20 | 0.19 | 42 | 0.03 |
| SUM | 8 | 0.50 | 181 | 0.50 | 53 | 0.50 | 727 | 0.50 |
clock Package Metrics for sbom
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.