BOMs
Bills of Materials stand at the forefront of both BOMnipotents functionality and name. A BOM is a list of all components that make up a product. In the context of cybersecurity, the most prominent variant is the Software Bill of Materials (SBOM), but BOMs allow for more general considerations as well.
List
Running the following command will list all BOMs accessible to you:
bomnipotent_client bom list[INFO]
╭────────────────────────┬─────────┬─────────────────────────┬───────────┬────────────╮
│ Product │ Version │ Timestamp │ TLP │ Components │
├────────────────────────┼─────────┼─────────────────────────┼───────────┼────────────┤
│ Best Project │ 3.1.4 │ 2025-01-01 10:11:12 UTC │ TLP:GREEN │ 75 │
│ Your Project │ 1.0.0 │ 2025-01-01 10:11:12 UTC │ Default │ 75 │
│ Your Project Container │ 1.2.3 │ 2025-01-01 10:11:12 UTC │ TLP:WHITE │ 939 │
╰────────────────────────┴─────────┴─────────────────────────┴───────────┴────────────╯
BOMs with label TLP:WHITE / TLP:CLEAR are visible to everyone. In this example, your account has access to one BOM with label TLP:AMBER.
The command accepts the optional filters “name” and “version”:
bomnipotent_client bom list --name="Your Project" --version="1.0.0"bomnipotent_client bom list -n "Your Project" -v "1.0.0"[INFO]
╭──────────────┬─────────┬─────────────────────────┬─────────┬────────────╮
│ Product │ Version │ Timestamp │ TLP │ Components │
├──────────────┼─────────┼─────────────────────────┼─────────┼────────────┤
│ Your Project │ 1.0.0 │ 2025-01-01 10:11:12 UTC │ Default │ 75 │
╰──────────────┴─────────┴─────────────────────────┴─────────┴────────────╯
Download
To create a local copy of all boms the server exposes to you, run:
bomnipotent_client bom download /home/boms[INFO] Storing BOMs under /home/boms
This will store the BOMs in the provided folder ("./boms", in this example). It will create the folder structure if it does not already exist. The BOMs are stored in files following the naming scheme {product name}_{product version}.cdx.json.
To avoid inconsistent behaviour accross operating systems, the name and version of the product are converted into lowercase, and most special characters are replaced by an underscore ‘_’. This means that, in principle, different products could lead to the same filename. In that case, BOMnipotent will display a warning instead of silently overwriting a file.
tree /home/boms//home/boms/
|-- best_project_3.1.4.cdx.json
|-- your_project_1.0.0.cdx.json
`-- your_project_container_1.2.3.cdx.json
1 directory, 3 files
Before requesting files for download, BOMnipotent Client makes an inventory of the BOMs already present in the folder, and downloads only the missing ones.
BOMnipotent does not automatically replace existing files, even if they have changed on the server. It instead prints a warning message:
bomnipotent_client bom download /home/boms[WARN] File ./boms/bomnipotent_1.0.0.cdx.json already exists.
Use the "--overwrite" flag to replace it.
Skipping download to prevent data loss.You can tell BOMnipotent that you really want this file overwritten by using the “–overwrite” flag:
bomnipotent_client bom download /home/boms --overwritebomnipotent_client bom download /home/boms -oAnalogously to the list command, the download command accepts the filters “name” and “version”, to only download a subset of BOMs:
bomnipotent_client bom download /home/boms --name="Your Project" --version="1.0.0"bomnipotent_client bom download /home/boms -n "Your Project" -v "1.0.0"[INFO] Storing BOMs under /home/boms
Get
You can directly display the contents of a single BOM to the console output by calling
bomnipotent_client bom get "Your Project" "1.0.0" | awk 'NR <= 16'{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:57ba1269-431c-418d-b5bc-b04fc084320b",
"version": 1,
"metadata": {
"timestamp": "2025-01-01T10:11:12Z",
"tools": {
"components": [
{
"type": "application",
"author": "anchore",
"name": "syft",
"version": "1.27.1"
}
This is especially useful if you want to use the contents of this BOM in a script. For example, to check for vulnerabilities in the supply chain, you could call:
bomnipotent_client bom get "Your Project" "1.0.0" | grypeNAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY EPSS% RISK
rustls 0.23.15 0.23.18 rust-crate GHSA-qg5g-gv98-5ffh Medium N/A N/A
Existence
The "exists" subcommand checks whether or not at least one object on the server matches some filters. It is available for all commands that accept the "list" subcommand, and accepts the same filters.
Depending on the output mode, the client prints:
- normal mode: a sentence including the number of found objects.
- code: The string "200" if at least one item was found, or "404" if none were found.
- raw: The string "true" if at least one item was found, or "false" if none were found.
bomnipotent_client bom exists --name="Your Project" --version="1.0.0"bomnipotent_client bom exists -n "Your Project" -v "1.0.0"[INFO] Yes, the server contains 1 BOMs matching the filters.