This tutorial illustrates how to create an SBOM from a binary file using the Blint CLI.
Python 3
Pip
Install Blint by running the command:
pip install blint
verify installation by running:
blint -h
You should see the resulting output:
usage: blint [-h] [-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]] [-o REPORTS_DIR] [--no-error] [--no-banner] [--no-reviews]
[--suggest-fuzzable]
{sbom} ...
Binary linter and SBOM generator.
options:
-h, --help show this help message and exit
-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...], --src SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]
Source directories, container images or binary files. Defaults to current directory.
-o REPORTS_DIR, --reports REPORTS_DIR
Reports directory. Defaults to reports.
--no-error Continue on error to prevent build from breaking.
--no-banner Do not display banner.
--no-reviews Do not perform method reviews.
--suggest-fuzzable Suggest functions and symbols for fuzzing based on a dictionary.
sub-commands:
Additional sub-commands
{sbom}
sbom Command to generate SBOM for supported binaries.
For a basic SBOM run:
blint sbom -i </path/to/binary> -o <sbom_output_filename>
For a more extensive SBOM run:
blint sbom -i </path/to/binary> -o <sbom_output_filename> --deep
This tool may be limited in its ability to comprehensively locate and list dependency data.
The SBOMs generated by this tool create component bom-refs as PURLs. It may create a component bom-ref as follows:
"bom-ref": "pkg:file/<component-name>"
While this format is not invalid in regards to the CycloneDX JSON Schema, note that “file” is not a known PURL type. This may affect SBOM analysis.
https://github.com/owasp-dep-scan/blint
https://cyclonedx.org/docs/1.5/json/#components_items_bom-ref
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst