Man page - debsbom(1)

Packages contains this manual

Package: debsbom
apt-get install debsbom

Manuals in package:

Documentations in package:

debsbom

Manual

DEBSBOM

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
SUB-COMMANDS
EXAMPLES
Generate
Local System
Container Rootfs using Podman
From Package List
Download
Merge Source Packages
Repack Artifacts
Compare SBOMs
Locate Changes
Identify new Components
Delta SBOMs
Export as Graph
Merging multiple SBOMs
License-Clearing Workflow
SEE ALSO
DEBSBOM
AUTHOR
COPYRIGHT

NAME

debsbom - a SBOM tool for Debian

SYNOPSIS

debsbom [-h] [--version] [-v] [--progress | --json]
[--print-completion {bash,zsh,tcsh}]
{generate,merge,download,source-merge,repack,export,delta,trace-path,filter} ...

DESCRIPTION

SBOM tool for Debian systems.

debsbom generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats SPDX and CycloneDX .

The generated SBOM includes all installed binary packages and also contains Debian Source packages .

Source packages are especially relevant for security as CVEs in the Debian ecosystem are filed not against the installed binary packages, but source packages. The names of source and binary packages must not always be the same, and in some cases a single source package builds a number of binary packages.

OPTIONS

Positional Arguments

cmd

sub command help

Possible choices: generate, merge, download, source-merge, repack, export, delta, trace-path, filter

Named Arguments
--version

show program's version number and exit

-v=0 , --verbose=0

be more verbose

--progress=False

report progress

--json=False

make output machine readable

--print-completion

print shell completion script

Possible choices: bash, zsh, tcsh

SUB-COMMANDS

debsbom generate [-h] [-o OUT] [--distro-name DISTRO_NAME]

[--distro-supplier DISTRO_SUPPLIER]
[--distro-version DISTRO_VERSION]
[--base-distro-vendor {debian,ubuntu}]
[--cdx-standard {default,standard-bom}]
[--spdx-namespace SPDX_NAMESPACE]
[--cdx-serialnumber CDX_SERIALNUMBER] [--timestamp TIMESTAMP]
[--add-meta-data key=value] [--validate] [-t {cdx,spdx}]
[-r ROOT] [--from-pkglist] [--distro-arch DISTRO_ARCH]
[--with-licenses] generate a SBOM for a Debian system

debsbom merge [-h] [-o OUT] [--distro-name DISTRO_NAME]

[--distro-supplier DISTRO_SUPPLIER]
[--distro-version DISTRO_VERSION]
[--base-distro-vendor {debian,ubuntu}]
[--cdx-standard {default,standard-bom}]
[--spdx-namespace SPDX_NAMESPACE]
[--cdx-serialnumber CDX_SERIALNUMBER] [--timestamp TIMESTAMP]
[--add-meta-data key=value] [--validate] [-t {cdx,spdx}]
[--omit-roots]
sboms [sboms ...] merge multiple SBOMs

debsbom download [-h] [-t {cdx,spdx}] [--outdir OUTDIR] [--sources]

[--binaries] [--skip-pkgs SKIP]
[--resolver {debian-snapshot}]
[bomin] download referenced packages

debsbom source-merge [-h] [-t {cdx,spdx}]

[--compress {no,bzip2,gzip,xz,zstd,lz4}]
[--apply-patches] [--mtime MTIME] [--pkgdir PKGDIR]
[--outdir OUTDIR]
[bomin] merge referenced source packages

debsbom repack [-h] [-t {cdx,spdx}] [--compress
{no,bzip2,gzip,xz,zstd,lz4}]

[--apply-patches] [--mtime MTIME] [--dldir DLDIR]
[--outdir OUTDIR]
[--format {standard-bom,standard-bom-package}] [--copy]
[--validate] [--sources] [--binaries]
bomin bomout repack sources and sbom

debsbom export [-h] [-t {cdx,spdx}] [--format {graphml}] [bomin] [out]

export SBOM as graph

debsbom delta [-h] [-o OUT] [--distro-name DISTRO_NAME]

[--distro-supplier DISTRO_SUPPLIER]
[--distro-version DISTRO_VERSION]
[--base-distro-vendor {debian,ubuntu}]
[--cdx-standard {default,standard-bom}]
[--spdx-namespace SPDX_NAMESPACE]
[--cdx-serialnumber CDX_SERIALNUMBER] [--timestamp TIMESTAMP]
[--add-meta-data key=value] [--validate] [-t {cdx,spdx}]
base_sbom target_sbom list components changed in target SBOM

debsbom trace-path [-h] [-t {cdx,spdx}] [--format {text,json,ref,dot}]

[--mode {shortest,all-shortest,all}]
[bomin] source trace path between components

debsbom filter [-h] [-t {cdx,spdx}] [--sources] [--binaries]
[--validate]

bomin bomout filter SBOM by sources or binaries

EXAMPLES

The following examples are based on common use-cases.

Generate

Generation happens fully offline and can run against an arbitrary root directory.

Local System

Generate a CycloneDX SBOM of the current system.

debsbom --progress generate -t cdx -o sbom
# output in sbom.cdx.json

Container Rootfs using Podman

Create the SBOM of a rootless example container. The debsbom tool hereby is used from the host (e.g. from a Python venv).

CRT=$(podman create debian:bookworm)
CHROOT=$(podman unshare podman mount $CRT)
podman unshare debsbom generate -t spdx --root $CHROOT

From Package List

Create the SBOM from a package list. The so provided packages will still be enriched with any available data from the apt cache.

It further is possible to inject a dpkg status file via stdin (e.g. if you only have that file). The data is then also resolved from the apt-cache (if available), but this usually only makes sense if you don't have a chroot and want to create the sbom just from the data in the file.

cat path/to/dpkg/status | debsbom generate --from-pkglist

Download

Lookup all packages on the snapshot.debian.org mirror and download all binary and source artifacts referenced in an SBOM:

debsbom --progress \
download --outdir downloads --sources --binaries sbom.cdx.json
find downloads -mindepth 1 -maxdepth 1
# downloads/.cache <- debsbom metadata to map packages to artifacts
# downloads/sources <- files related to source packages (e.g. .dsc, .orig.tar)
# downloads/binaries <- .deb files

It is also possible to download multiple packages by name, version and architecture:

cat <<EOF | debsbom download --binaries --sources
cpp 4:12.2.0-3 amd64
guestfs-tools 1.52.3-1 source
EOF

Alternatively, the download can be executed from the container image:

echo "guestfs-tools 1.52.3-1 source" | \
docker run -v$(pwd)/downloads:/mnt/downloads -i ghcr.io/siemens/debsbom:latest \
debsbom download --outdir /mnt/downloads --sources

Merge Source Packages

Debian source packages consist of a .dsc file along with one or more related artifacts. The source-merge command takes care of merging all referenced artifacts of a debian source package into a single archive. All referenced files have to be downloaded upfront, by using the download command .

NOTE:

Internally, the dpkg-source command from the dpkg-dev package is used to perform the merge.

The following example merges all debian source packages referenced in the sbom.cdx.json , applies the debian patches and compresses the new artifacts with ZStandard.

debsbom --progress \
source-merge \
--compress zstd \
--apply-patches \
sbom.cdx.json

Repack Artifacts

The repack command is similar to the source-merge command but performs additional steps to re-layout the downloaded artifacts and recreate the SBOM. The following example generates a standard-bom-package source distribution archive.

debsbom --progress repack \
--dldir downloads \
--outdir source-archive \
--compress zstd \
--apply-patches \
--validate \
sbom.cdx.json sbom.packed.cdx.json

It further is possible to only repack (and update in the SBOM) a subset of packages. For that, provide both an SBOM, as well as a set of "to-be-processed" packages via stdin.

echo "bash 5.2.37-2 source" | debsbom -v repack sbom-in.json sbom-out.json

Compare SBOMs

The SBOMs produced by debsbom can be further processed with existing tools – for example, the CycloneDX CLI . Comparing two SBOMs directly is outside the scope of debsbom , but you can determine which components have changed by using a short snippet such as the one shown below.

Locate Changes

cyclonedx-cli diff --component-versions --output-format json \
sbom.old.cdx.json sbom.cdx.json | \
jq -r '.componentVersions[] | select(.added!=[] or .removed!=[]) | {"added": .added[0].purl, "removed": .removed[0].purl}'
# {"added", "purl-a-1.1", "removed": "purl-a-1.0"}
# {...}

A similar output can be generated by just using jq and diff :

diff --color \
<(jq -r --sort-keys '.components[].purl' sbom.old.cdx.json) \
<(jq -r --sort-keys '.components[].purl' sbom.cdx.json)

Identify new Components

Consider you only want to know the changed and added components, e.g. for license clearing.

PURLS=$( \
diff -U0 \
<(jq -r --sort-keys '.components[].purl' sbom.old.cdx.json) \
<(jq -r --sort-keys '.components[].purl' sbom.cdx.json) \
| grep ˆ+pkg | sed 's/ˆ+//' \
)

The PURLs can be used as input to debsbom to download / merge components:

echo "$PURLS" | debsbom download --sources --binaries

Once downloaded, it is possible to merge the source packages:

echo "$PURLS" | debsbom source-merge --apply-patches

And the same list of packages can be repacked:

echo "$PURLS" | debsbom repack \
--apply-patches
sbom.cdx.json \
sbom.cdx.repacked.json

Delta SBOMs

The delta command compares a base (reference) SBOM with a target (new) SBOM and produces a new SBOM containing only the components present in the target. The typical use-case is identifying newly added or changed components between two builds or releases.

Use debsbom delta when you only want to see changed or added components, e.g., to generate an SBOM for license clearance.

debsbom delta sbom.old.cdx.json sbom.cdx.json extras.cdx.json

You can also pass SBOMs via stdin, but you also have to pass the SBOM type in this case:

cat sbom.old.spdx.json sbom.spdx.json | debsbom delta -t spdx - - -o -

Export as Graph

The export command allows one to convert the SBOM into various graph representations. These can be used as input to graph visualization and analysis tooling (like Gephi).

NOTE:

We recommend to use the SPDX format as input, as this describes inter package relations more precisely.

Convert the SPDX SBOM to GraphML:

debsbom export sbom.spdx.json sbom-graph.graphml

Merging multiple SBOMs

The merge command merges multiple SBOMs hierarchically. The intended use-case is to combine multiple SBOMs describing a Debian-based distribution. A good example is the rootfs and the initrd of a Linux distribution.

Merge two SBOMs representing the above case:

debsbom merge rootfs.spdx.json initrd.spdx.json -o merged.spdx.json

You can also pass SBOMs via stdin, but you also have to pass the SBOM type in this case:

cat rootfs.spdx.json initrd.spdx.json | debsbom merge -t spdx -o merged.spdx.json -

License-Clearing Workflow

debsbom can be used for license clearing. The license clearing workflow could look like this:

First, generate a CycloneDX SBOM of a rootfs:

debsbom --progress generate -r path/to/the/rootfs -t cdx -o sbom
# output in sbom.cdx.json

Use the generated SBOM to download all source packages:

debsbom --progress download --outdir downloads --sources sbom.cdx.json
# the downloaded files will be in downloads/sources/<archive>

You will notice that there is no single file for each source package. Instead there is multiple: the .dsc file, an .orig.tar tarball, maybe some patches and more. debsbom provides an easy way to combine them into a single tarball that can be used in most license clearing platforms:

debsbom --progress source-merge --compress zstd --apply-patches sbom.cdx.json
# merged and patched compressed tarballs are in downloads/sources/<archive>

Now there is a single compressed file for each source package.

NOTE:

If you only need to work on a smaller subset of packages you can pass a package list via stdin. See the above sections for concrete examples how to do that.

Alternatively you can use the repack command to rewrite the SBOM and repack the downloaded artifacts in a format-specific way:

debsbom --progress repack \
--format standard-bom-package \
--dldir downloads \
--compress zstd \
--apply-patches \
--validate \
sbom.cdx.json sbom.packed.cdx.json

This step is very specific to the actual use-case you have. Right now the only available format is standard-bom-package , which created a directory structure and rewrites the SBOM to reference all source packages directly in there. If you want to see more formats you can open an issue, or even better, contribute it directly.

DEBSBOM

Part of the debsbom(1) suite.

AUTHOR

Christoph Steiger, Felix Moessbauer

COPYRIGHT

2025, Siemens