Lineaje Learning Center
  • About Lineaje
  • Lineaje Product Offering
  • Getting started
    • Create an account
      • Configure Azure AD for sso
      • Configure Okta for sso
    • Onboarding workflow
  • SBOM360, OSM
    • Generate an SBOM
      • Source Code Management (SCM) As Source
        • Public Code Repositories
        • Private Code Repositories
          • Configure GitHub credentials
          • Configure Bitbucket credentials
          • Configure Gitlab credentials
          • Configure Git credentials
          • Configure Azure Repo
        • Frequently Asked Questions
      • Container Image As Source
        • Public Container Image
        • Private Container Image
          • Configure AWS Elastic Container Registry
          • Configure Google Container Registry
          • Configure Docker Hub
          • Configure Generic OCI Registry
          • Configure Azure Container Registry
        • Frequently Asked Questions
      • Existing SBOM As Source
        • EO 14028 checks
      • Manifest file As Source
      • Android Package Kit (APK)
      • Using Lineaje CLI
    • Explore Your SBOM
      • Info
      • Attestation
      • IRL
      • Dependencies
      • Provenance
      • Vulnerabilities
      • Mitigations
      • Security Posture
      • Code Quality
      • Suppliers & Licenses
      • Findings
    • Manage Your SBOM
    • Dashboard
    • Search
    • Policies and Gates
    • Organization and User Management
      • Organization example
    • Lineaje AI
    • AI Plan and AI Remediate
      • JIRA Integration
  • SBOM360 Hub
    • My Products
    • My SBOMS
    • Find & Review SBOMs
    • Manage Your Repository
    • Request and Share SBOMS
    • Settings
    • User Roles
  • Lineaje CLI
    • System Configuration
    • Toolset Configuration
    • CLI Installation
    • CLI Usage
    • Troubleshooting CLI issues
    • Support matrix
  • Integration with CICD pipeline
    • Pre-Requisites
    • Generate Project from source code
      • Project creation using Lineaje cloud
  • Abbreviations and Descriptions
  • Release Notes
    • Unified Scanner for AWS
Powered by GitBook
On this page
  • Run the CLI
  • Create input.json
  1. Lineaje CLI

CLI Usage

Run the CLI

Run the CLI to create the SBOM and upload the SBOM contents to the SBOM360 portal. All SBOMs generated will be visible on the projects page of SBOM360 portal. The generation of SBOM can take anywhere between a few seconds to hours. The CLI does "n" level metadata collection for each component in your project, its direct dependencies and its transitive dependencies.

# Run the commands as a regular user
# Go inside the directory where CLI is extracted
ubuntu@ip-a.b.c.d:~$ cd veecli
# Run the CLI using the “input.json” configured in the previous step
ubuntu@ip-a.b.c.d:~$ ./veecli collect --inputfile input.json --output output
2022-07-07T14:18:15.584+0300 info Starting data collection
2022-07-07T14:18:16.924+0300 info SBOM created for project acme and version 2.10.5 
with project id - ***, sbom id - SPDXRef-DOCUMENT-vdna_*****, sbom job id -
SPDXRef-DOCUMENT-vdna_****
..
..
..
2022-07-07T14:18:16.934+0300 info Successfully uploaded archive of collection 
artifacts – output/acme/acme-SPDXRef-DOCUMENT-vdna_******.tar.gz
2022-07-07T14:18:16.934+0300 info Successfully completed data collection

Ensure that “output” folder has 100 GB free space.

Depending on the size of the source, package and number of dependencies discovered, the CLI may run for a while. It is recommended to run the CLI inside a “screen” or a “tmux” session to ensure that any interruption in the user session, does not break the CLI run.

The CLI creates a log file in JSON format in the current folder in the name of “veelocal.log”.

User can additionally redirect the CLI output to another log file as well. The recommended command is, “./veecli collect --inputfile input.json --output output 2>&1 | tee output.log"

Create input.json

To run the CLI, create an input.json with all the project, source, and package information.

Generating SBOM from source code

Lineaje CLI can be run using the below command. The CLI decomposes the source code locally and then uploads only the metadata to Lineaje backend. The metadata includes package info like package name, version , checksum etc, source code info like url, version, commits, timezone etc.

./veecli collect --inputfile <input.json> --output <output_path>

Open Source examples of input.json

Maven project
{
  "project": "maven project",
  "version": "0.9.125",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/cloudera/cdp-sdk-java",
        "matchingref": "0.9.125",
        "type": "github"
      }
    }
  ]
}

Gradle project
{
  "project": "gradle project",
  "version": "parent-4.12.0",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/square/okhttp",
        "matchingref": "parent-4.12.0",
        "type": "github"
      }
    }
  ]
}

Python project
{
  "project": "pypi project",
  "version": "v1.9.2",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/aio-libs/yarl",
        "matchingref": "v1.9.2",
        "type": "github"
      }
    }
  ]
}

go-lang project
{
  "project": "golang project",
  "version": "v0.10.0",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/charmbracelet/lipgloss.git",
        "matchingref": "v0.10.0",
        "type": "github"
      }
    }
  ]
}

NPM project
{
  "project": "npm project",
  "version": "v8.4.0",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/bevry/cson",
        "type": "github",
        "matchingref": "v8.4.0"
      }
    }
  ]
}

Rust project
{
  "project": "rust project",
  "version": "v0.2.7",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/redcanaryco/oxidebpf",
        "matchingref": "v0.2.7",
        "type": "github"
      }
    }
  ]
}

Ruby project
{
  "project": "ruby project",
  "version": "v3.4.2",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/rails/sprockets-rails",
        "type": "github",
        "matchingref": "v3.4.2"
      }
    }
  ]
}

Nuget project
{
  "schema": "1.0",
  "project": "sanity project",
  "version": "13.0.1",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://github.com/JamesNK/Newtonsoft.Json",
        "type": "github",
        "matchingref": "13.0.1"
      }
    }
  ]
}

Private source example of input.json

{
  "project": "<private-repo-name>",
  "version": "<branch/tag/commit-id>",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "<github/gitlab/bitbucket/git>",
  "inputs": [
    {
      "src_info": {
        "srcurl": "<private repo url>",
        "matchingref": "<branch/tag/commit-id>",
        "type": "<github/gitlab/bitbucket/git>"
      }
    }
  ],
  "repository_access_configs": [
    {
      "path": "<private repo url>",
      "type": "<github/gitlab/bitbucket/git>",
      "user_name": "<user-name>",
      "token": "<auth-token>"
    }
  ]
}

A sample bitbucket private repo
{
  "project": "curl-private-1",
  "version": "main",
  "exclude_test_dependency": true,
  "exclude_optional_dependency": true,
  "use_native_tools": true,
  "inputtype": "github",
  "inputs": [
    {
      "src_info": {
        "srcurl": "https://bitbucket.org/1234/curl-private",
        "matchingref": "main",
        "type": "bitbucket"
      }
    }
  ],
  "repository_access_configs": [
    {
      "path": "https://bitbucket.org/1234/curl-private",
      "type": "bitbucket",
      "user_name": "x-token-auth",
      "token": "1234567890"
    }
  ]
}

Generating SBOM from image

For open source container image, Lineaje CLI can be invoked by the following command. In the below example, alpine:3.18.0 from dockerhub is shown

Open Source image example

./veecli upload --type image-source --input registry:docker.io/library/alpine:3.18.0 --name alpine --version 3.18.0

Private image example

export LINEAJE_REGISTRY_AUTH_USERNAME=<docker-login-username>
export LINEAJE_REGISTRY_AUTH_PASSWORD=<docker-login-password>
 
./veecli upload --type image-source --input registry:<repourl>:<tag> --name <project_name> --version <version>
PreviousCLI InstallationNextTroubleshooting CLI issues

Last updated 1 month ago