Skip to main content

Software Bill of Material (SBOM) merge tool

Project description

SBOMMerge

SBOMMerge merges two Software Bill of Materials (SBOMs) documents together. It supports SBOMs created in both SPDX and CycloneDX formats.

Installation

To install use the following command:

pip install sbommerge

Alternatively, just clone the repo and install dependencies using the following command:

pip install -U -r requirements.txt

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which allows you to have all the dependencies for the tool set up in a single environment, or have different environments set up for testing using different versions of Python.

Usage

usage: sbommerge [-h] [--sbom {auto,spdx,cyclonedx}] [-d] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V] FILE1 FILE2

SBOMMerge merges two Software Bill of Materials (SBOMs) documents together.

positional arguments:
  FILE1                 first SBOM file
  FILE2                 second SBOM file

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  --sbom {auto,spdx,cyclonedx}
                        specify type of sbom to merge (default: auto)

Output:
  -d, --debug           show debug information
  --format {tag,json,yaml}
                        specify format of generated sbom (default: tag)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)

Operation

The --sbom option is used to specify the format of the SBOM files. The default is for the type and format of the SBOM to be automatically detected based on the extension of the file name.

SBOM Type Version Extension Format
SPDX 2.3 .spdx TagValue
SPDX 2.3 .spdx.json JSON
SPDX 2.3 .spdx.yml YAML
SPDX 2.3 .spdx.yaml YAML
CycloneDX 1.4 .json JSON
CycloneDX 1.5 .json JSON

Details of the formats for each of the supported SBOM formats are available for SPDX and CycloneDX.

For SPDX SBOM files, it is assumed that the name of a Package precedes the version information for the package. Only modules with a package name and associated version information shall be processed.

The --output-file option is used to control the destination of the output generated by the tool. The default is to report to the console but can be stored in a file (specified using --output-file option).

Implementation Notes

The following design decisions have been made in processing the SBOM files:

  1. Package data is merged if the package version matches. Otherwise separate packages will be created.

  2. It is assumed that the SBOM is valid and contains syntactically valid data. Invalid files will be silently ignored.

  3. A non-zero return value indicates that differences were detected.

License

Licensed under the Apache 2.0 Licence.

Limitations

This tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the SBOM data which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool are therefore reminded that they should assert the quality of any data which is provided to the tool.

Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

sbommerge-0.2.0-py2.py3-none-any.whl (25.3 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file sbommerge-0.2.0-py2.py3-none-any.whl.

File metadata

  • Download URL: sbommerge-0.2.0-py2.py3-none-any.whl
  • Upload date:
  • Size: 25.3 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.8

File hashes

Hashes for sbommerge-0.2.0-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 b75ae56d6b0464122e03cb7261276b8b87568407f8f83a9dc3bf28639ec60e12
MD5 83249bd7120b5ba704d5c48b98d367fa
BLAKE2b-256 fe26015bb1c526a1a2f884cf4bf4a604e7fa39403480aaff7fddaf1c8daed647

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page