Unpack is a versatile CLI tool and library for analyzing software components. It goes beyond simple file extraction, providing deep insights into dependencies within codebases, artifacts, and Software Bills of Materials (SBOMs).
Whether you're a developer, security researcher, or compliance officer, Unpack helps you understand the composition of your software.
- Dependency Extraction: Analyzes source code to discover dependencies for various languages.
- SBOM Parsing: Reads and understands major SBOM formats like SPDX and CycloneDX.
- Multiple Output Formats: Displays dependencies as a visual tree or exports to standard SBOM formats.
- Extensible Architecture: Easily extendable to support new languages and package managers.
- Attestation Support: Wraps SBOM outputs in an in-toto attestation for verifiable supply chain security.
unpack is an experimental project. We are actively developing it and welcome feedback. Initial support focuses on Go, Rust, and NPM codebases, with more on the way. Dependency extraction from SBOMs is powered by the native protobom unserializers.
Pre-release binaries are available for Linux, macOS, and Windows.
Download the latest prerelease
To install the latest development version directly from the source, use the Go compiler:
go install github.com/carabiner-dev/unpack@mainUnpack provides two main commands: extract and sbom.
Use extract to discover dependencies directly from a source code repository.
Example: Basic Tree View
# Analyze the codebase in the current directory and display a dependency tree
unpack extract .pkg:golang/github.com/carabiner-dev/unpack@v0.1.0-pre3.1+0400cac1
├ pkg:golang/github.com/titanous/rocacheck@v0.0.0-20171023193734-afe73141d399
├ pkg:golang/google.golang.org/protobuf@v1.36.5
│ ├ pkg:golang/github.com/google/go-cmp@v0.5.5
...
Example: Generate an SPDX SBOM
# Output the dependency graph as an SPDX JSON file
unpack extract --format=spdx-json /path/to/your/code > my-project.spdx.jsonExample: Create a Signed Attestation
# Generate an SPDX SBOM and wrap it in a signed in-toto attestation
unpack extract --attest --format=spdx-json /path/to/your/codeUse sbom to read, convert, and re-export existing SBOM files.
# Read an SPDX SBOM and display its contents as a tree
unpack sbom /path/to/sbom.spdx.json
# Convert an SPDX SBOM to the CycloneDX format
unpack sbom --format=cyclonedx-json /path/to/sbom.spdx.jsonUse ls to scan a directory and list the codebases found, along with their IDs. These IDs can then be used with the extract command.
Example: List codebases in a directory (table format)
# List all discovered codebases in the current directory
unpack ls .ID LANGUAGE PATH
golang:. golang .
npm:frontend npm frontend
rust:backend/api rust backend/api
Example: List codebases in JSON format
unpack ls --format=json /path/to/projectExample: List codebases ignoring specific patterns
unpack ls --ignore "*/testdata/*" --ignore "temp/" .Unpack includes decomposers for four package ecosystems. See the decomposer documentation for details.
| Ecosystem | Lock file | Manifest | Remote enrichment |
|---|---|---|---|
| Go | go.sum |
go.mod |
Go module proxy |
| Maven | (none) | pom.xml |
Maven Central |
| npm | package-lock.json |
package.json |
(none) |
| Rust | Cargo.lock |
Cargo.toml |
crates.io API |
Support for more ecosystems is planned.
We welcome contributions! Whether it's reporting a bug, suggesting a feature, or submitting a pull request, your feedback is valuable.
- Open an Issue: If you find a problem or have an idea for an improvement, please open a new issue.
- Pull Requests: Feel free to fork the repository and submit a pull request with your changes.
This tool and its libraries are released under the Apache 2.0 License and copyright by Carabiner Systems, Inc. See the LICENSE file for more details. Feel free to open issues to report problems or request features. Patches are welcome!