The default system (--system dpkg, or simply omit --system). Collects every installed package
from the local dpkg database and enriches it in two independent steps:
- Collection (
dpkg-query) — package identity, dependencies, maintainer, section/priority, andProvides/virtual package resolution. apt-cacheenrichment (skip with--no-apt-cache) — SHA-256/512/1 and MD5 hashes, download size, and the.debpool filename, viaapt-cache show.- Copyright enrichment (skip with
--no-licenses) — SPDX license identifiers and copyright notices, parsed from/usr/share/doc/<pkg>/copyright(DEP-5 and legacy free-form formats).
Options¶
| Option | Description |
|---|---|
--distro ID |
Override the distro identifier used in package PURLs (e.g. ubuntu, debian). Auto-detected from /etc/os-release if omitted. |
--no-apt-cache |
Skip apt-cache show enrichment. Hashes and download metadata will be absent for most packages. |
--no-licenses |
Skip reading copyright files. The licenses field will be empty on all components. |
metadata.component¶
- Without
--product-name:metadata.componentdescribes the scanned operating system itself (typeoperating-system, name/version/description from/etc/os-release). This is the default for a plainwhatever2sbom --product-supplier "..."run — fitting, sincedpkgscans every installed package on that OS, including the kernel and base system. - With
--product-name:metadata.componentdescribes your product instead, and becomes the root of the dependency tree. Its CycloneDXtypealso defaults tooperating-system; pass--product-type firmwareif the scanned system is itself a firmware/appliance image (a common case for BSI TR-03183-2).
See Getting started for full examples.