SBOMgen

Creating SBOMs From a Binary File Using Blint

Introduction

This tutorial illustrates how to create an SBOM from a binary file using the Blint CLI.

Requirements

Python 3
Pip

Installation

Install Blint by running the command:

pip install blint

verify installation by running:

blint -h

You should see the resulting output:

usage: blint [-h] [-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]] [-o REPORTS_DIR] [--no-error] [--no-banner] [--no-reviews]
             [--suggest-fuzzable]
             {sbom} ...

Binary linter and SBOM generator.

options:
  -h, --help            show this help message and exit
  -i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...], --src SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]
                        Source directories, container images or binary files. Defaults to current directory.
  -o REPORTS_DIR, --reports REPORTS_DIR
                        Reports directory. Defaults to reports.
  --no-error            Continue on error to prevent build from breaking.
  --no-banner           Do not display banner.
  --no-reviews          Do not perform method reviews.
  --suggest-fuzzable    Suggest functions and symbols for fuzzing based on a dictionary.

sub-commands:
  Additional sub-commands

  {sbom}
    sbom                Command to generate SBOM for supported binaries.

Usage

Basic SBOM

For a basic SBOM run:

blint sbom -i </path/to/binary> -o <sbom_output_filename>

Deep SBOM

For a more extensive SBOM run:

blint sbom -i </path/to/binary> -o <sbom_output_filename> --deep

Notes

This tool may be limited in its ability to comprehensively locate and list dependency data.
The SBOMs generated by this tool create component bom-refs as PURLs. It may create a component bom-ref as follows:
```
  "bom-ref": "pkg:file/<component-name>"
```
While this format is not invalid in regards to the CycloneDX JSON Schema, note that “file” is not a known PURL type. This may affect SBOM analysis.

Example SBOM

This section illustrates CycloneDX JSON SBOMs, one regular, one extensive, created from the Systemd binary, created via Blint.

Pretty JSON Display

systemd (json)

systemd deep (json)

References

Owasp-Dep-Scan. (n.d.). GitHub - owasp-dep-scan/blint: BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries. GitHub. https://github.com/owasp-dep-scan/blint
Package-Url. (n.d.). purl-spec/PURL-TYPES.rst at master · package-url/purl-spec. GitHub. https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
CycloneDX v1.5 JSON Reference. (n.d.). CycloneDX. https://cyclonedx.org/docs/1.5/json/#components_items_bom-ref

This site is open source. Improve this page.