Swift Package SBoM
A software bill of materials (SBoM) generator for Swift packages.
Run this command to print a JSON representation of a CycloneDX SBoM for a Swift package at a given path.
A software component can be described by a bill of materials at different levels of detail. This project currently includes the following information:
- Component records for each library and executable product, each with a list of source files.
- SHA256, SHA384, SHA512 checksums for each source file
- Information about the latest commit (if the package root contains a
.git
directory) - Component records for each resolved dependency, including information about transitive relationships
⚠️ This project is under active development and isn't ready for production use.
For more information about software bill of materials, see this webpage from the National Telecommunications and Information Administration (NTIA).
Requirements
- Swift 5.4+
- macOS 10.15+
- libgit2
Usage
swift-package-sbom generate --help
OVERVIEW: Generate a software bill of materials for a package at a path.
USAGE: swift-package-sbom generate <package-path>
ARGUMENTS:
<package-path> Location of the package
OPTIONS:
--version Show the version.
-h, --help Show help information.
Example Output
{
"format": "CycloneDX",
"serialNumber": "urn:uuid:73BB569B-52BA-4CA7-B2D1-C76CD5661C3C",
"specVersion": "1.2",
"metadata": {
"timestamp": "2021-07-15T22:23:33Z"
},
"components": [
{
"classification": "library",
"bom-ref": "CycloneDX",
"pedigree": {
"commits": [
{
"author": {
"name": "Mattt",
"email": "[email protected]"
},
"committer": {
"name": "Mattt",
"email": "[email protected]"
},
"uid": "268e2e22efe45bae5f8521725827ff913f9d89de",
"message": "Create Algorithm enumeration with correct encoded values"
}
]
},
"components": [
{
"bom-ref": "Sources/CycloneDX/Supporting Types/Pedigree.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/ExternalReference.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Service.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/BillOfMaterials.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/IdentifiableAction.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Extensions/KeyedEncodingContainerProtocol+Extensions.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/Commit.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Dependency.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/OrganizationalEntity.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Metadata.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/CPE.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Component.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Properties.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/Issue.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/Patch.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/Diff.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/Tool.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Composition.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/Hash.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/License.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/OrganizationalContact.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/CycloneDX/Supporting Types/Copyright.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
}
]
},
{
"classification": "application",
"bom-ref": "swift-package-sbom",
"pedigree": {
"commits": [
{
"author": {
"name": "Mattt",
"email": "[email protected]"
},
"committer": {
"name": "Mattt",
"email": "[email protected]"
},
"uid": "268e2e22efe45bae5f8521725827ff913f9d89de",
"message": "Create Algorithm enumeration with correct encoded values"
}
]
},
"components": [
{
"bom-ref": "Sources/swift-package-sbom/Extensions/Hash.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/swift-package-sbom/Extensions/HashFunction+Extensions.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/swift-package-sbom/Extensions/DataProtocol+Extensions.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/swift-package-sbom/Subcommands/Generate.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/swift-package-sbom/Extensions/AbsolutePath+Extensions.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
},
{
"bom-ref": "Sources/swift-package-sbom/main.swift",
"classification": "file",
"hashes": [
{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"algorithm": "SHA-256"
},
{
"value": "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b",
"algorithm": "SHA-384"
},
{
"value": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"algorithm": "SHA-512"
}
]
}
]
},
{
"bom-ref": "swift-driver",
"classification": "library",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/apple/swift-driver.git"
}
]
},
{
"bom-ref": "Git",
"classification": "library",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/SwiftDocOrg/Git.git"
}
]
},
{
"bom-ref": "Yams",
"classification": "library",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/jpsim/Yams.git"
}
]
},
{
"bom-ref": "swift-tools-support-core",
"classification": "library",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/apple/swift-tools-support-core.git"
}
]
},
{
"bom-ref": "swift-argument-parser",
"classification": "library",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/apple/swift-argument-parser.git"
}
]
},
{
"bom-ref": "swift-llbuild",
"classification": "library",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/apple/swift-llbuild.git"
}
]
},
{
"bom-ref": "swift-package-manager",
"classification": "library",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/apple/swift-package-manager.git"
}
]
}
]
}