A collection of dependency analysis libraries and CLI tool to extract dependency data from codebases, artifacts and software bills of materials (SBOMs).
The project can output the dependency data to the native SBOM formats as well as visualize them on screen:
> unpack extract .
pkg:golang/github.com/carabiner-dev/[email protected]+0400cac1
├ pkg:golang/github.com/titanous/[email protected]
├ pkg:golang/google.golang.org/[email protected]
│ ├ pkg:golang/github.com/google/[email protected]
│ ├ pkg:golang/golang.org/x/[email protected]
│ ├ pkg:golang/[email protected]
│ └ pkg:golang/github.com/golang/[email protected]
├ pkg:golang/github.com/cloudflare/[email protected]
│ ├ pkg:golang/github.com/bwesterb/[email protected]
│ ├ pkg:golang/golang.org/x/[email protected]
│ ├ pkg:golang/golang.org/x/[email protected]
│ └ pkg:golang/[email protected]
├ pkg:golang/github.com/skeema/[email protected]
│ ├ pkg:golang/golang.org/x/[email protected]
│ ├ pkg:golang/golang.org/x/[email protected]
│ └ pkg:golang/[email protected]
...
unpack is still an experimental project. We have initial support to extract data
from go and rust codebases (more are on the way). It has support for dependency
extraction from SBOMs via the native
protobom unserializers.
We have started building binaries for the project, but we only have prereleases at the moment. Feel free to try them out, downlad the latest prerelease.
If you want to try the latest and greatest, (am possibly the buggiest! 🙃 ) install directly with the go compiler:
go install github.com/carabiner-dev/unpack@HEADTo extract dependency data from code bases use unpack extract:
# Extract the dependency data of a code base im a tree:
unpack extract /path/to/code
# Same but output in an SPDX SBOM:
unpack extract --format=spdx /path/to/code
# Same SPDX document, but wrapped in an intoto attestation
unpack extract --attest --format=spdx /path/to/code To extract data from an SBOM, use unpack sbom:
# Extract the dependency data from an SBOM:
unpack sbom /path/to/sbom.spdx.json
# Same but output the SBOM data in another format:
unpack sbom --format=cyclonedx /path/to/sbom.spdx.json This tool and its libraries are released under the Apache 2.0 license by Carbiner Systems, Inc. Feel free to contribute improvements or report any problems you find by opening a new issue. We love feedback and love to make the project useful for you.