Metadata-Version: 2.4
Name: debsbom
Version: 0.7.1
Summary: Generate SBOMs for Debian-based distributions.
Author-email: Christoph Steiger <christoph.steiger@siemens.com>
Maintainer-email: Christoph Steiger <christoph.steiger@siemens.com>, Felix Moessbauer <felix.moessbauer@siemens.com>
License-Expression: MIT
Project-URL: Homepage, https://github.com/siemens/debsbom
Project-URL: Repository, https://github.com/siemens/debsbom.git
Classifier: Intended Audience :: Developers
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: System :: Operating System Kernels :: Linux
Classifier: Topic :: Utilities
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: packageurl-python>=0.16.0
Requires-Dist: python-debian>=0.1.49
Requires-Dist: license-expression>=30
Provides-Extra: dev
Requires-Dist: black; extra == "dev"
Requires-Dist: debsbom[cdx]; extra == "dev"
Requires-Dist: debsbom[mindev]; extra == "dev"
Requires-Dist: debsbom[spdx]; extra == "dev"
Requires-Dist: pytest-cov>=6; extra == "dev"
Requires-Dist: shtab; extra == "dev"
Provides-Extra: mindev
Requires-Dist: beartype>=0.20; extra == "mindev"
Requires-Dist: debsbom[doc]; extra == "mindev"
Requires-Dist: debsbom[download]; extra == "mindev"
Requires-Dist: debsbom[tracepath]; extra == "mindev"
Requires-Dist: jsonschema>=3.2; extra == "mindev"
Requires-Dist: lz4; extra == "mindev"
Requires-Dist: pytest>=6.0; extra == "mindev"
Provides-Extra: cdx
Requires-Dist: cyclonedx-python-lib>=9.0.0; extra == "cdx"
Provides-Extra: spdx
Requires-Dist: spdx-tools>=0.8.3; extra == "spdx"
Provides-Extra: tracepath
Requires-Dist: networkx>=2.8.0; extra == "tracepath"
Provides-Extra: download
Requires-Dist: requests>=2.25.1; extra == "download"
Requires-Dist: zstandard>=0.20; extra == "download"
Provides-Extra: apt
Requires-Dist: python3-apt>=2.6.0; extra == "apt"
Provides-Extra: doc
Requires-Dist: sphinx-argparse>=0.2.1; extra == "doc"
Requires-Dist: sphinx-autodoc-typehints>=2.0.0; extra == "doc"
Requires-Dist: sphinx-rtd-theme>=2.0.0; extra == "doc"
Requires-Dist: sphinx>=7; extra == "doc"
Dynamic: license-file

[![Tests](https://github.com/siemens/debsbom/actions/workflows/test.yml/badge.svg)](https://github.com/siemens/debsbom/actions/workflows/test.yml)
[![Documentation](https://github.com/siemens/debsbom/actions/workflows/docs.yml/badge.svg)](https://siemens.github.io/debsbom)

# debsbom - SBOM generator for Debian-based distributions

`debsbom` generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats [SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).

The generated SBOM includes all installed binary packages and also contains [Debian Source packages](https://www.debian.org/doc/debian-policy/ch-source.html).

Source packages are especially relevant for security as CVEs in the Debian ecosystem are filed not against the installed binary packages, but source packages. The names of source and binary packages must not always be the same, and in some cases a single source package builds a number of binary packages.

`debsbom` also provides a complete dependency graph for the analyzed system. This graph is useful for identification of crucial components in your distribution, or to identify which package pulled in vulnerabilites with its dependencies.

## Usage

Please refer to the [debsbom documentation](https://siemens.github.io/debsbom/).

```
usage: debsbom [-h] [--version] [-v] [--progress | --json] {delta,download,export,filter,generate,merge,repack,source-merge,trace-path} ...

SBOM tool for Debian systems.

positional arguments:
  {delta,download,export,filter,generate,merge,repack,source-merge,trace-path}
                        sub command help
    delta               list components added in target SBOM
    download            download referenced packages
    export              export SBOM as graph
    filter              filter SBOM by sources or binaries
    generate            generate a SBOM for a Debian system
    merge               merge multiple SBOMs
    repack              repack sources and sbom
    source-merge        merge referenced source packages
    trace-path          trace path between components

options:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  -v, --verbose         be more verbose
  --progress            report progress
  --json                make output machine readable
```

## Scope of the tool

The primary goal is to generate Software Bills of Materials (SBOMs) for Debian-based systems, focusing on security and license clearing requirements.
The `generate` command operates entirely offline, making it suitable for use in air-gapped networks or environments where internet connectivity is restricted.

### Goals

The `generate` command creates comprehensive SBOMs that include all installed software packages and their dependencies (binary, source package and
`built-using`[[1]](https://www.debian.org/doc/debian-policy/ch-relationships.html#s-built-using)).
These SBOM outputs are designed to serve as reliable input for vulnerability management systems and license compliance checks.

The tool provides auxiliary commands for package source retrieval. These enable users to:
1. Retrieve packages from Debian's upstream repositories and report missing packages.
2. Convert the multi-archive source packages into a single artifact (one archive per source package)

At its core, this tool was designed to fulfill these SBOM generation requirements while maintaining:
1. A minimal dependency footprint: avoid huge dependency graph of external software ecosystems (like Go or Rust)
2. Strict focus on Debian-specific package formats
3. Clear separation between binary packages and their corresponding source packages
4. Use official SPDX / CycloneDX libraries to ensure syntactic and semantic correctness

### Non Goals

- License and copyright text extraction from source packages
- Real-time vulnerability database integration
- Signing and attestation of generated artifacts

## Package Relations

A Debian distribution is composed of source packages and binary packages.
Binary packages are installed into the root filesystem, while the source packages are the originals from which those binaries are built.

Some binary packages are installed explicitly by the user; others appear automatically as dependencies of the explicitly‑installed packages.
The SBOM mirrors this relationship, using the `distro-package` entry as the single central node for traversing the package graph.

```
distro-package
├─ binary-package-foo
├─── source-package-foo
├─── binary-dep-of-foo
├─ binary-package-bar
├─── source-package-bar
└─── binary-dep-of-bar
```

### Source-Binary

To differentiate binary and source packages in the SBOM a different approach for each SBOM standard is required.

#### CycloneDX

In the CDX format it is currently not possible to mark a component as a source package. There is an ongoing discussion [[2]](https://github.com/CycloneDX/specification/issues/612) which, while looking promising, will not land in the standard for quite some time. In the meantime source packages can only be identified by their PURL by looking at the `arch=source` qualifier. The relationships between a binary and its source package is done with a simple dependency.

#### SPDX

We differentiate a source package by setting `"primaryPackagePurpose": "SOURCE"` as opposed to `LIBRARY` for binary packages. Their relationship is expressed with the `GENERATES` relation. For packages that are marked as `Built-Using` in the dpkg status file, we use the `GENERATED_FROM` relation. This expresses the same semantic in SPDX, but this way it can still be identified if it is a proper source/binary relationship or a built-using one.

## Limitations

### Vendor Packages

Vendor packages are currently not identified. Identifying them is important to emit the correct PURL. Right now we make no difference between vendor and official packages. That means we emit potentially incorrect PURLs for vendor packages.

Reliably and correctly identifying if a package is a vendor package or not is non-trivial without access to the internet. For this reason we do not attempt it. If you have vendor packages in your distribution we assume you know them, and if not you can identify them in postprocessing. A simple way is to use `debsbom download` and look for any packages that failed to download, or whose checksums do not match.

## Maintainer GPG Fingerprints

All release tags since v0.7.0 are signed by either one of these keys:

- Christoph Steiger <christoph.steiger@siemens.com> 697D7C50105888561F3DA813FD19209BD779F314
- Felix Mößbauer <felix.moessbauer@siemens.com> 3785ED68D0F83B7BD7D23D7FE1136CEB2754A0BD
