Warning
This tool was created as a tech preview, and due to current limitations in the product does NOT provide a complete inventory upon import. SBOM import functionality will be added to the product in 2024.
A CLI tool that imports a project inventory into Mend from a SBOM report in the SPDX format or CSV format.
The tool can either upload data directly to Mend, or alternatively, create a Mend Offline Request file that can be uploaded separately using one of the following methods:
- Using the Mend Unified Agent (see Uploading an Offline Request File)
- Via Mend's UI (Admin >> Upload Update Request)
- Using Mend's API (see Uploading Update Requests via the Mend API)
The tool supports input files in either JSON or CSV formats.
- Linux (Bash): CentOS, Debian, Ubuntu
- Windows (PowerShell): 10, 2012, 2016
- Python 3.9+
- Mend user with admin permissions
pip install mend-import-sbom
Note: Depending on whether the package was installed as a root user or not, you need to make sure the package installation location was added to the
$PATH
environment variable.
Using command-line arguments only:
import_sbom --user-key $WS_USERKEY --api-key $WS_APIKEY --url $WS_WSS_URL --input $SBOM_FILE_PATH --scope "ProductName//ProjectName" --dir $OUTPUT_DIRECTORY
Using environment variables:
export WS_USERKEY=xxxxxxxxxxx
export WS_APIKEY=xxxxxxxxxxx
export WS_WSS_URL=https://saas.mend.io
import_sbom --input $SBOM_FILE_PATH --scope "ProductName//ProjectName"
Note: Either form is accepted. For the rest of the examples, the latter form would be used
Note: Parameters can be specified as either command-line arguments, environment variables, or a combination of both.
Command-line arguments take precedence over environment variables.
CLI argument | Env. Variable | Type | Required | Description |
---|---|---|---|---|
‑‑help | switch |
No | Show help and exit | |
‑‑version | switch |
No | Show current version and exit | |
‑‑user-key | WS_USERKEY |
string |
Yes | Mend User Key |
‑‑api-key | WS_APIKEY |
string |
Yes | Mend API Key |
‑‑url | WS_WSS_URL |
string |
Yes | Mend Server URL |
‑‑input | SBOM |
string |
Yes | SBOM report file to import (*.json or *.csv ) |
‑‑scope | WS_SCOPE |
string |
No* | Product and Project names to create/update. Expected format: "PRODUCT//PROJECT" |
‑‑updateType | WS_UPDATETYPE |
string |
No | APPEND or OVERRIDE results when importing into an existing project (default: OVERRIDE ) |
‑‑dir | string |
No | Output directory for the update-request.txt file** in Offline mode (default: $PWD ) |
|
‑‑offline | WS_OFFLINE |
bool |
No | Create offline update request file without uploading to Mend (default: false ) |
‑‑multilang | WS_MULTILANG |
bool |
No** | In case no SHA1 searching library by All known package types (default: true ) |
‑‑proxy | HTTP_PROXY |
string |
No | Proxy host including port, with or without protocol prefix and optionally credentials. Expected formats:myproxy.host.com:1234,http://myproxy.host.com:1234,http://user:pass@myproxy.host.com:1234 |
‑‑proxyUsername | HTTP_PROXY_USERNAME |
string |
No | Proxy username, if needed and if not included in the proxy host. |
‑‑proxyPassword | HTTP_PROXY_PASSWORD |
string |
No | Proxy password, if needed and if not included in the proxy host. |
*
--scope
specifies the hierarchy (full or partial) for uploading the SBOM report using product and project identifiers. Both the product and project can be identified by either names (for creating a new one) or token (for updating an existing one).
--scope "ProductName//ProjectName"
would specify both the product name and project name to create/update.--scope "ProjectName"
would specify only the project name, and the product name would default toMend-Imports
.--scope "ProjectToken"
would specify the token of an existing project, and the product name would default to that project's parent product. When specifying a project token, you cannot specify a product name/token.- If
--scope
isn't specified, the project name will be taken from the SBOM'sname
property (for*.json
SPDX) or its parent directory (for*.csv
).** See more details about the update-request.txt file and Offline mode in Mend's documentation.
** If
--multilang
is False script will try to find relevant package name in the Creator field. If such a candidate is found just it will be used for searching libraries.
The SPDX document must correspond to the Composition of an SPDX document specification.
The following table describes the set of properties for each imported library:
Property | Required | Description |
---|---|---|
name | No | File Name |
downloadLocation | No | Download Location |
licenseConcluded | No | License Concluded |
licenseInfoFromFiles | No | License Info |
licenseDeclared | No | License Declared |
copyrightText | No | Copyright Text |
versionInfo | Yes* | Version Info |
packageFileName | Yes* | Package Name |
supplier | No | Supplier |
originator | No | Originator |
sha1 | Yes* | SHA1 |
homepage | No | Home Page |
* Each library requires either sha1 or the packageFileName and versionInfo pair.
Note: If sha1 isn't provided for a particular library, the tool will attempt to search that library by its name and version in Mend's index, which will result in longer execution times.
Note: In the following examples, $WS_USERKEY, $WS_APIKEY and $WS_WSS_URL are assumed to have been exported as environment variables.
Import SPDX SBOM into a new Mend project
import_sbom --scope "$WS_PRODUCTNAME//$WS_PROJECTNAME" --dir $HOME/reports --input $HOME/reports/$WS_PROJECTNAME-sbom.json
Convert SPDX SBOM to an offline update request file for creating a new Mend project under a specific product
import_sbom --scope "$WS_PRODUCTNAME//$WS_PROJECTNAME" --dir $HOME/reports --input $HOME/reports/my-project-sbom.json --offline True
Convert SPDX SBOM to an offline update request file for overriding an existing Mend project
import_sbom --scope "$WS_PRODUCTNAME//$WS_PROJECTNAME" --dir $HOME/reports --input $HOME/reports/my-project-sbom.json --offline True
import_sbom --scope $WS_PROJECTTOKEN --dir $HOME/reports --input $HOME/reports/my-project-sbom.json --offline True
Convert SPDX SBOM to an offline update request file for appending to an existing Mend project
import_sbom --scope "$WS_PRODUCTNAME//$WS_PROJECTNAME" --dir $HOME/reports --input $HOME/reports/my-project-sbom.json --offline True --updateType APPEND
import_sbom --scope $WS_PROJECTTOKEN --dir $HOME/reports --input $HOME/reports/my-project-sbom.json --offline True --updateType APPEND
Header | Required | Reference |
---|---|---|
name | No | File Name |
downloadLocation | No | Download Location |
licenseConcluded | No | License Concluded |
licenseInfoFromFiles | No | License Info |
licenseDeclared | No | License Declared |
copyrightText | No | Copyright Text |
versionInfo | Yes* | Version Info |
packageFileName | Yes* | Package Name |
supplier | No | Supplier |
originator | No | Originator |
sha1 | Yes* | SHA1 |
homepage | No | Home Page |
* Each library requires either sha1 or the packageFileName and versionInfo pair. Other fields can remain empty.
Note: If sha1 isn't provided for a particular library, the tool will attempt to search that library by its name and version in Mend's index, which will result in longer execution times.
Note: In the following examples, $WS_USERKEY, $WS_APIKEY and $WS_WSS_URL are assumed to have been exported as environment variables.
Import CSV SBOM into a new Mend project under the default product (Mend-Imports
)
import_sbom --scope "$WS_PROJECTNAME" --dir $HOME/reports --input $HOME/reports/$WS_PROJECTNAME.csv
Import CSV SBOM, appending to an existing Mend project
import_sbom --scope "$WS_PRODUCTNAME//$WS_PROJECTNAME" --dir $HOME/reports --input $HOME/reports/$WS_PROJECTNAME.csv --updateType APPEND
import_sbom --scope $WS_PROJECTTOKEN --dir $HOME/reports --input $HOME/reports/$WS_PROJECTNAME.csv --updateType APPEND