csspin_tooling.sbomasm

The csspin_tooling.sbomasm plugin provides SBOM (Software Bill of Materials) assembly and enrichment for CONTACT Elements-based projects. It downloads and manages sbomasm and exposes two separate tasks: one to merge multiple CycloneDX SBOM files into a single top-level SBOM, and one to enrich the result with CONTACT Elements-specific metadata extracted from the Python project configuration. A single SBOM is supported too — in that case the merge step is a pass-through and only the enrichment step modifies the file.

The sbomasm plugin uses the csspin-python.python plugin to determine the metadata for the enrichment step. These include the project name, version, author, supplier, and license. Other sources of metadata are currently not supported.

How to set up the csspin_tooling.sbomasm plugin?

For using the csspin_tooling.sbomasm plugin, a project’s spinfile.yaml must at least contain the following configuration.

Minimal configuration of spinfile.yaml to use csspin_tooling.sbomasm

plugin_packages:
    - csspin-python
    - csspin-tooling
plugins:
    - csspin_tooling.sbomasm
python:
    version: "3.11.9"

Provisioning downloads sbomasm into the spin data directory and makes it available for all subsequent tasks:

Provisioning the project including sbomasm

spin provision

How to assemble and enrich an SBOM?

Both tasks hook into the sbomasm task group and the sbom workflow. If csspin-workflows.stdworkflows is enabled, they run in the following order:

• sbomasm assemble collects all *.cdx.json files in the current directory (excluding the output file) and merges them into the output file. With a single input file the merge is a pass-through copy.

• sbomasm enrich then edits the output file in place, applying project metadata (name, version, author, supplier, license) to the primary component. The following fields must be present in the project’s metadata (i.e. in defined via pyproject.toml); the task aborts if any are missing:

  • name (e.g. customer.plm)

  • version (e.g. v1.2.3)

  • license — SPDX expression, e.g. MIT

  • Author information — each author must have both a name and an email address. The expected format depends on the build backend:

    pyproject.toml (PEP 621):

    [project]
    authors = [
        {name = "Good Employee", email = "good.employee@work.com"},
    ]
    

    setup.py / setup.cfg:

    author = "Good Employee"
    author_email = "good.employee@work.com"
    

Assemble and enrich

spin sbomasm assemble
spin sbomasm enrich

The output file defaults to <project_name>.cdx.json. Its location can be overridden via the sbomasm.output_file option.

How to use a pre-installed sbomasm binary?

Set sbomasm.use to the path of an existing binary to skip the automatic download during provisioning:

Using a local sbomasm installation

spin -p sbomasm.use=/usr/local/bin/sbomasm sbomasm assemble

csspin_tooling.sbomasm schema reference

sbomasm: 'object'

The sbomasm plugin wraps around the sbomasm tool for for assembling and enriching SBOMs.

sbomasm.version: 'str'

Version of sbomasm to use

sbomasm.install_dir: 'path'

The installation directory to install sbomasm versions into

sbomasm.use: 'path'

Can be used to specify a custom sbomasm binary to use instead of the one installed by the plugin

sbomasm.output_file: 'path'

The file path to write the generated SBOM to

sbomasm.format: 'object'

Configuration regarding the output format of the generated SBOM

sbomasm.format.name: 'str'

The name of the output format to use

sbomasm.format.version: 'str'

The version of the output format to use

sbomasm.format.spec: 'str'

sbomasm.schema: 'object'

sbomasm.requires: 'object'

sbomasm.requires.spin: 'list'

sbomasm._requires: 'list'