CLI Usage

Run the CLI

Run the CLI to create the SBOM and upload the SBOM contents to the SBOM360 portal. All SBOMs generated will be visible on the projects page of SBOM360 portal. The generation of SBOM can take anywhere between a few seconds to hours. The CLI does "n" level metadata collection for each component in your project, its direct dependencies and its transitive dependencies.

# Run the commands as a regular user
# Go inside the directory where CLI is extracted
[email protected]:~$ cd veecli
# Run the CLI using the “input.json” configured in the previous step
[email protected]:~$ ./veecli collect --inputfile input.json --output output
2022-07-07T14:18:15.584+0300 info Starting data collection
2022-07-07T14:18:16.924+0300 info SBOM created for project acme and version 2.10.5 
with project id - ***, sbom id - SPDXRef-DOCUMENT-vdna_*****, sbom job id -
SPDXRef-DOCUMENT-vdna_****
..
..
..
2022-07-07T14:18:16.934+0300 info Successfully uploaded archive of collection 
artifacts – output/acme/acme-SPDXRef-DOCUMENT-vdna_******.tar.gz
2022-07-07T14:18:16.934+0300 info Successfully completed data collection

Ensure that “output” folder has 100 GB free space.

Depending on the size of the source, package and number of dependencies discovered, the CLI may run for a while. It is recommended to run the CLI inside a “screen” or a “tmux” session to ensure that any interruption in the user session, does not break the CLI run.

The CLI creates a log file in JSON format in the current folder in the name of “veelocal.log”.

User can additionally redirect the CLI output to another log file as well. The recommended command is, “./veecli collect --inputfile input.json --output output 2>&1 | tee output.log"

Create input.json

To run the CLI, create an input.json with all the project, source, and package information.

Generating SBOM from source code

Lineaje CLI can be run using the below command. The CLI decomposes the source code locally and then uploads only the metadata to Lineaje backend. The metadata includes package info like package name, version , checksum etc, source code info like url, version, commits, timezone etc.

./veecli collect --inputfile <input.json> --output <output_path>

Open Source examples of input.json

Maven project
{
  "project": "maven project",
  "version": "0.9.125",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/cloudera/cdp-sdk-java",
        "matchingref": "0.9.125",
        "type": "github"
      }
    }
  ]
}

Gradle project
{
  "project": "gradle project",
  "version": "parent-4.12.0",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/square/okhttp",
        "matchingref": "parent-4.12.0",
        "type": "github"
      }
    }
  ]
}

Python project
{
  "project": "pypi project",
  "version": "v1.9.2",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/aio-libs/yarl",
        "matchingref": "v1.9.2",
        "type": "github"
      }
    }
  ]
}

go-lang project
{
  "project": "golang project",
  "version": "v0.10.0",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/charmbracelet/lipgloss.git",
        "matchingref": "v0.10.0",
        "type": "github"
      }
    }
  ]
}

NPM project
{
  "project": "npm project",
  "version": "v8.4.0",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/bevry/cson",
        "type": "github",
        "matchingref": "v8.4.0"
      }
    }
  ]
}

Rust project
{
  "project": "rust project",
  "version": "v0.2.7",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/redcanaryco/oxidebpf",
        "matchingref": "v0.2.7",
        "type": "github"
      }
    }
  ]
}

Ruby project
{
  "project": "ruby project",
  "version": "v3.4.2",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/rails/sprockets-rails",
        "type": "github",
        "matchingref": "v3.4.2"
      }
    }
  ]
}

Nuget project
{
  "schema": "1.0",
  "project": "sanity project",
  "version": "13.0.1",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/JamesNK/Newtonsoft.Json",
        "type": "github",
        "matchingref": "13.0.1"
      }
    }
  ]
}

Private source example of input.json

{
  "project": "<private-repo-name>",
  "version": "<branch/tag/commit-id>",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "<github/gitlab/bitbucket/git>",
  "inputs": [
    {
      "src_info": {
        "srcurl": "<private repo url>",
        "matchingref": "<branch/tag/commit-id>",
        "type": "<github/gitlab/bitbucket/git>"
      }
    }
  ],
  "repository_access_configs": [
    {
      "path": "<private repo url>",
      "type": "<github/gitlab/bitbucket/git>",
      "user_name": "<user-name>",
      "token": "<auth-token>"
    }
  ]
}

A sample bitbucket private repo
{
  "project": "curl-private-1",
  "version": "main",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://bitbucket.org/1234/curl-private",
        "matchingref": "main",
        "type": "bitbucket"
      }
    }
  ],
  "repository_access_configs": [
    {
      "path": "https://bitbucket.org/1234/curl-private",
      "type": "bitbucket",
      "user_name": "x-token-auth",
      "token": "1234567890"
    }
  ]
}

Generating SBOM from image

For open source container image, Lineaje CLI can be invoked by the following command. In the below example, alpine:3.18.0 from dockerhub is shown

Open Source image example

./veecli upload --type image-source --input registry:docker.io/library/alpine:3.18.0 --name alpine --version 3.18.0

Private image example

export LINEAJE_REGISTRY_AUTH_USERNAME=<docker-login-username>
export LINEAJE_REGISTRY_AUTH_PASSWORD=<docker-login-password>
 
./veecli upload --type image-source --input registry:<repourl>:<tag> --name <project_name> --version <version>

Last updated