generate command
The command creates comprehensive SBOMs that include all installed software packages and their dependencies (binary, source package and built-using). These SBOM outputs are designed to serve as reliable input for vulnerability management systems and license compliance checks.
Note
This command can be executed in an air-gapped environment.
Generate SBOMs from the dpkg package list
usage: debsbom generate [-h] [-t {cdx,spdx}] [-r ROOT] [-o OUT]
[--distro-name DISTRO_NAME]
[--distro-supplier DISTRO_SUPPLIER]
[--distro-version DISTRO_VERSION]
[--base-distro-vendor {debian,ubuntu}]
[--cdx-standard {default,standard-bom}]
[--spdx-namespace SPDX_NAMESPACE]
[--cdx-serialnumber CDX_SERIALNUMBER]
[--timestamp TIMESTAMP] [--validate] [--from-pkglist]
Named Arguments
- -t, --sbom-type
Possible choices: cdx, spdx
SBOM type to generate, can be passed multiple times (default: all)
- -r, --root
root directory to look for dpkg status file and apt cache
Default:
'/'- -o, --out
filename for output (default: ‘sbom’). Use ‘-’ to write to stdout
Default:
'sbom'- --distro-name
distro name (default: ‘Debian’)
Default:
'Debian'- --distro-supplier
supplier for the root component
- --distro-version
version for the root component
- --base-distro-vendor
Possible choices: debian, ubuntu
vendor of debian distribution (debian or ubuntu)
Default:
'debian'- --cdx-standard
Possible choices: default, standard-bom
generate SBOM according to this spec (only for CDX)
Default:
'default'- --spdx-namespace
document namespace, must be a valid URI (only for SPDX)
- --cdx-serialnumber
document serial number, must be a UUID in 8-4-4-4-12 format (only for CDX)
- --timestamp
document timestamp in ISO 8601 format
- --validate
validate generated SBOM (only for SPDX)
Default:
False- --from-pkglist
create SBOM from a package list passed via stdin
Default:
False