Creating standard inventories for Ubuntu systems

Here’s a tool to create standard SBOMs from Ubuntu distribution information.

Subject of Cybercrime

As I’ve previously mentioned on this blog, software bills of materials (SBOMs) are software ingredient lists similar to what you would find on a can of soup. The purpose of these lists is to determine if something bad is in the mix, so that administrators can figure out where their risks are. This is why President Biden’s Executive Order from last May specifically called them out.

Here now is a tool that I’ve just posted to pypi called apt2sbom. This tool is specific to Ubuntu. Similar tools can be built for other distributions. This tool will take the already existing information on a Ubuntu system and collect it into one of the standard formats, such as SPDX or CycloneDX.

% pip3 install apt2sbom
[...]
% apt2sbom -h

usage: apt2sbom [-h] (-j | -y | -c) [-p]

generate SPDX file from APT inventory

optional arguments:
  -h, --help       show this help message and exit
  -j, --json       Generate JSON SPDX output
  -y, --yaml       Generate YAML SPDX output
  -c, --cyclonedx  Generate CycloneDX JSON output
  -p, --pip        Include PIP files

The resulting file is then suitable for import into tooling that can spot vulnerabilities in particular versions of software.

The package is a little on the early side. There might still be a few bugs here or there. If you find one, just post it to the source repository as an issue.

Would this be considered a complete SBOM? Probably not, because there may be software installed on a system that is not part of either the apt or python distributions. However, it’s fairly easy to add additional elements into these files, particular the JSON ones.