NYU DTCC VIP Project - Fall 2025

SBOM generation with Dynamic invoked libraries

A script for generating SBOM that can detect runtime (dynamic) invoked libraries.

Most existing SBOM tools generate their output using only static indicators, such as:

• Imports declared in the source code.

• Dependency files that list required libraries (requirements.txt or pom.xml).

• Binaries stored within project directory.

Requirements

1. Requires a linux environment, since it makes use of strace system call.

2. Syft SBOM generation tool.

3. Current implementation of the script requires that you already have an output file generated by running strace.

Using Docker

1. Build the docker image

docker build -t <image-name> .

2. Run the image

docker run -it <image-name>

Running the program

Prior to running the program, you will need the strace file to be generated

# generate the strace output file
strace -f -o <strace_output_file> <Command to run the program>

If you want to make use of the test files:

# first generate the strace file
cd /app/test
./run_strace.sh

# running the script is same as : strace -f -o strace_output.txt java -cp ".:../test_libraries/log4j-api-2.25.2.jar:../test_libraries/log4j-core-2.25.2.jar" DynamicLog4jExample.java

Running the program:

python3 sbom_script.py <directory-name> <strace-output-file>

# the test directory contains test_programs, and test_libraries
# run the script on the test like follows:
python3 sbom_script.py test/test_programs strace_output.txt

This will run the syft tool on that directory and include the dynamic libraries found using strace.

Demo

1. Creating the strace file for running the program

2. Running the program

Acknowledgment

1. Anchore inc. Syft tool