The surfactant plugin system uses the pluggy module. This module is used by projects such as pytest and tox for their plugin systems; installing and writing plugins for surfactant is a similar to using plugins for those projects. Most of the core surfactant functionality is also implemented as plugins (see surfactant/output, surfactant/infoextractors, surfactant/filetypeid, and surfactant/relationships).
In order to create a plugin, you will need to write your implementation for one or more of the functions in the hookspec.py file. Which functions you implement will depend on the goals of your plugin.
- Return a string representation of the type of file passed in
- Determine how file info is supposed to be extracted
- Determines how to establish relationships between the software/metadata that has been passed to it
- Determine what format to write the SBOM to file
- If reading from input SBOMs, specifies what format the input SBOMs are
Once you have written your plugin, you will need to write a pyproject.toml file. Include any relevant project metadata/dependencies for your plugin, as well as an entry-point specification (example below) to make the plugin discoverable by surfactant. Once you write your .toml file, you can surfactant plugin install <path to plugin's folder>
to install your plugin. Alternatively, you can pip install <path to plugin's folder>
your plugin.
More information on entry points can be found here
import surfactant.plugin
from surfactant.sbomtypes import SBOM
@surfactant.plugin.hookimpl
def write_sbom(sbom: SBOM, outfile) -> None:
outfile.write(sbom.to_json(indent=10))
... generic pyproject info ...
[project.entry-points."surfactant"]
sampleplugin = "sampleplugin"
Run surfactant plugin install <path to plugin's folder>
to install the plugin. Surfactant will automatically load and use the plugin. Alternatively, from the same folder as your sampleplugin files, run pip install .
.
Consider uploading your plugin to PyPI for easy sharing and to enable installation using the PyPI package name of the plugin. If the package is on PyPI, run surfactant plugin install <plugin name>
.
Another example can be found in the plugins/checksec.py folder. There you can see the pyproject.toml file with the [project.entry-points."surfactant"]
entry. In the surfactantplugin_checksec.py file, you can identify the hooked functions with the @surfactant.plugin.hookimpl
hook.