v0.4.0

You can find the associated container to this release here.

All releases are published automatically on PyPI. You can install it by running pip install debsbom[download].

Improvements

• Always include package field in download result when using the --json option for the download command
  It was optional before, now it is always there.
• Add PURL field to download result when using the --json option for the download command
• Add --mtime option for repack and source-merge commands
  This option sets a custom timestamp for the created tarballs. If this option is not set, the timestamp from the most recent changelog is used, as before.
• Checksum matching is now done in a defined order if there are multiple available, with the best algorithms being tried first
• Improve handling of malformed apt-cache data
• Improve error messages for malformed package lists
• Add --skip-pkgs option to the download command
  This new option allows us to skip a select number of packages. This is useful if one does not want to leak private package names to the snapshot mirror.
• Add VCS information to SBOM
  Debian source packages may contain information about the used VCS and provide a link to it. Include this information in the SBOM as it might be useful for repository analysis and other purposes.

Bug fixes

• Fixed residual config packages being placed in SBOMs
  Packages that are not properly installed showed up in the SBOM before and only their dependency resolution was disabled. Properly remove them now.
• Actually use the output directory specified by the --output option for the source-merge command
• Fix incorrect application of patches for the repack command
  When using the --apply-patches flag we previously always skipped the inclusion of the.pc directory, essentially ignoring the flag.
• Fix wrong inclusion of orig.tar tarballs for the repack command

Documentation

• Document many design decisions
• Use relationship instead of relation when describing Debian package relationships
  This is the terminology used in the Debian documentation, so we stay consistent with it.

v0.3.1

You can find the associated container to this release here.

All releases are published automatically on PyPI. You can install it by running pip install debsbom[download].

Improvements

• Moved imprecise lookup warning to info logging level
  The warning appeared very often and confused some users. The name and version of a source package should be enough to uniquely identify packages on the debian snapshot mirror. There are some edge-cases we know about that break this rule, but these are considered bugs by the Debian team. By downgrading the logging message to info level we still keep the possibility to debug these issues, but at the same time do not confuse users who see this warning in every run of the generator.
• Add md5 checksums of .dsc files for source packages to SBOMs in addition to sha256 checksums

Bug fixes

• Fixed issues with checksum merging in the merge command

v0.3.0

You can find the associated container to this release here.

All releases are published automatically on PyPI. You can install it by running pip install debsbom[download].

There was a maintainership change: Gernot Hillier stepped down for now and Felix Moessbauer is taking over. Thanks for your work Gernot, and welcome Felix!

Improvements

• Allow isar manifest format as package list
• When neither --binary or --source is given for the download command simply download everything
• Split package description into a summary line and description in SPDX SBOMs
• Add binary package section to the tag field in CDX SBOMs
• Add the binary package section to nodes in export command
• Track package installation status for binary packages
  Packages can be listed in the dpkg status file despite not being installed. This e.g. happens on system updates when config files of removed packages are still present. Correctly represent this information in the SBOMs where appropriate.
• Track and use checksums of dsc files for source packages
• Fetch artifacts for all archives with the download command
  There are situations where a source package is uploaded to multiple archives (e.g. debian and debian-ports), but the content differs even within a version. Now all downloaded artifacts are placed in a per archive directory. Checksum verification is now also done for packages from all known archives.
• Add the --json option.
  This new option prints machine readable JSON to stdout for the download command. With this the status for each package can be tracked, and packages that fail their checksum checks or fail to download can be identified.
• Add a new merge command to hierarchically merge SBOMs
  The merge is intended to be used for combining multiple SBOMs that describe a Debian-based Linux distribution. A common such use-case would be combining SBOMs for a rootfs and a initrd.
• Add the --distro-arch option to the generate command.
  With the fix of arch-all package dependency resolving we need to know the native architecture now. There are cases where we can recognize this automatically, in all other cases it must be passed via this option.

Bug fixes

• Fix trailing newlines on package list inputs causing architectures not being recognized
• Fix packages from a package list using extended state information, instead they are all marked as manually installed now
• Fix incorrect dependency error in when the zstandard dependency is not installed
• Fix incorrect parsing of the Binaries field for source packages
• Fix incorrect resolving of dependencies of arch-all packages
  Architecture all packages can depend on architecture native packages. Previously only the direction <arch> to all was mapped. Now also map the all to <arch> direction. This also means that knowledge of the native architecture is needed to resolve all dependencies correctly.

Documentation

• Improve Getting Started section
• Add example for package lists with isar manifest
• Improve help string of --from-pkglist options for all commands that use it
• Improve help string of --root option for the generate command
• Explicitly state that source archives are merged when using the repack command
• Add output schema for the JSON created by the new --json option
• Add documentation for the new merge command
• Improve help string for the --outdir option of the repack command
• Add example on how to do a common license-clearing workflow

v0.2.0

You can find the associated container to this release here.

All releases are published automatically on PyPI. You can install it by running pip install debsbom[download].

Features

• Support repacking a subset of packages
  On system updates, usually only small set of packages changes. When performing license clearing, only the updated packages might be needed. To streamline this process, we allow to only merge a subset of packages in repack by providing the corresponding packages via stdin.

• Allow dpkg status files directly as inputs
  In case a user only has a dpkg status file (but nothing else), he needed to construct the directory structure of a chroot with just that single file. By extending the stdin ingress module the user does now not need to create a chroot-like directory structure in this case.

• Add export subcommand to convert SBOMs into graphs
  Exporting the SBOM to a precise and annotated graph enables graph-tooling to further analyze and reason about it. Currently graphml is the only supported format.

Bug fixes

• Avoid duplicate dependencies when multiple version selectors are present
• Merge package metadata if package is already merged
• Fix numerous problems when specifying packages with a package list with available apt cache
• Improve handling of missing dependencies
  When dependencies are missing do not omit the corresponding subcommands. Instead still provide in the help string and provide a short error message showing which dependency is missing.
• Provide an error when not providing a subcommand instead of exiting quietly

Documentation

• Provide example from SBOM generation from package list
• Provide example how to do partial repacking
• Add a Getting Started page
• Add instructions on how/why to use python3-apt

v0.1.0

This is the first release of debsbom. Things will only get better from here!

The first release includes the generate, download, source-merge and repack subcommands. This allows you to generate SBOMs, download all their binary and source packages, merge the source packages into a single tarball and finally repack everything for a single file distribution. Make sure to read our documentation for examples.

You can find the associated container to this release here.

All releases are published automatically on PyPI. You can install it by running pip install debsbom[download].