BOMulator is a synthetic Bill of Materials (BOMs) — currently SBOM — simulator for testing, analysis, and research. Whether you're simulating large software supply chains or stress-testing your SBOM ingestion pipeline, BOMulator helps you create tailor-made BOMs that match your needs.
- Generate synthetic SBOMs with customizable number of vulnerabilities and package types (e.g. Maven, crates.io, Golang, Pypi, etc)
- Ingest and parse vulnerability data from OSV
- [Soon] Store structured vulnerability data into a PostgreSQL database
You need to have installed Docker or Podman.
- Download the OSV data in the way you prefer among:
- With a browser download https://osv-vulnerabilities.storage.googleapis.com/all.zip
- From a terminal, execute
curl -O https://osv-vulnerabilities.storage.googleapis.com/all.zip
- Run BOMulator using container (you can replace
podmanwithdocker)and you should get an output like:podman run -v ./:/bomulator:Z quay.io/mrizzi/bomulator:latest -i /bomulator/all.zip -o /bomulator/
Input zip file ingestion Output file data gathering Created files: /bomulator/bomulator-0.1.0-e3b9ad9c-2a58-40fc-8fae-7aaa4baa7d5a.cdx.json /bomulator/bomulator-0.1.0-e3b9ad9c-2a58-40fc-8fae-7aaa4baa7d5a.spdx.json
In your local directory the two newly generated SBOMs will be available.
The available input options can be retrieved running:
podman run quay.io/mrizzi/bomulator:latest
The examples on how to leverage this library into Rust code are available in the examples folder.
You can give it a try to the generate_sboms example executing:
cargo run -r --example generate_sbomsPull requests and feedback are welcome! Please open an issue first to discuss major changes.
Check the open issues for the list of upcoming changes: please vote the ones you need/like the most, thank you.