Lockheed Martin developed utility to compare two SBOMs
The SBomComparator is used to compare two Software Bill Of Materials (SBOM) commonly known as SBoms or Boms.
It uses the CycloneDx Schema, and can consume SBoms in either JSon or XML, and produce a difference report in either JSon or XML.
The difference report can be viewed as an html display which is automatically generated.
- Open JDK11
- Apache Maven 3.6.3 or greater installed
- (Recommended) java IDE Eclipse with Subclipse 4.3.0 plug-in
- Two Software Bill of Materials.
mvn clean package
To run as a standalone java application, you can look at the "example.sh" shell script for an example. You can also use the provided "compare.sh" script as a pass through to the jar. It assumes all the basic settings.
./compare.sh -h
usage: help -f, --format <arg> (Optional) output file format, Valid values json, xml. Default is xml -f1, --orgsbom <arg> original SBom file -f2, --newsbom <arg> new SBom file -h, --help will print out the command line options. -o, --output <arg> (Optional) output file name, default is diff.json or diff.xml -ob, --outputBomFile <arg> (Optional) output file of the diff bom, default is diffBom.xml -t, --htmloutput <arg> (Optional) output html file name, default name is sbomcompared
./compare.sh -f1 ./test/OrgSbom.xml -f2 ./test/ModifiedSbom.xml -o ./test/output -f xml -t ./test/output -ob ./test/newBom
Bom bom = SBomFileUtils.processFile(new File(fileName));
SBomDiff diff = SBomCompareUtils.compareComponents(originalBom, newBom);
The Difference Report automatically generates a graphical display. If the user does not give a location with "-t", the file will be created at the root of the project with the name "sbomcompared.html"