Skip to content
/ sbom-combiner Public
forked from CycloneDX/sbom-combiner

Lockheed Martin developed utility to combine multiple CycloneDX SBOMs

cyclonedx.org/

License

View license
0 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

wrgoff/sbom-combiner

BranchesTags
 
 

Repository files navigation

sbom-combiner

Lockheed Martin developed utility to combine multiple SBOMs

This application is used to combine two or more Software Bill Of Materials (SBOM) commonly known as SBoms or Boms into a single Bom. It uses the CycloneDx Schema, and can combine SBoms in either JSon or XML, and output either a JSon or XML Bom.

Prerequisites

  • Open JDK11
  • Apache Maven 3.6.3 or greater installed
  • (Recommended) java IDE Eclipse with Subclipse 4.3.0 plug-in

Usage:

Build artifact via maven.

Maven Command

mvn clean package

Run

To run as a standalone java application, you can look at the "example.sh" shell script for an example. You can also use the provided "combine.sh" script as a pass through to the jar. It assumes all the basic settings.

Help is available.

    ./combine.sh -h

Help Output shows options for running the SBomCombiner application.

usage: help
    -d,     --dir       <arg>   (Optional) directory to get all SBoms from
    -f,     --format    <arg>   (Optional) output file format, Valid values json, xml.  Default is json
    -f1,    --sbom1     <arg>   (Optional) first SBom file
    -f2,    --sbom2     <arg>   (Optional) second SBom file
    -g,     --group     <arg>   (Optional) group name for the upper level Component of the combined SBom
    -h,     --help              will print out the command line options.
    -n,     --name      <arg>   (Optional) name of upper level component of the combined SBom
    -o,     --output    <arg>   (Optional) output file name, default is combine.json or combine.xml
    -t,     --type      <arg>   (Optional) Type of upper level component of the combined SBom.  Valid types are APPLICATION, CONTAINER, DEVICE, FILE, FIRMWARE, FRAMEWORK, LIBRARY, or OPERATING_SYSTEM.  Default value is CONTAINER.
    -v      --version   <arg>   (Optional) Version of the upper level component of the combined SBom.

Running SBomCombiner.

In this example it wil combine all files (xml, and json) from the directory ./test into an output.json (also in ./test) bom file.

    ./combine.sh -d ./test -o ./test/output -f json

In this example it will combine two files (sbomcommons.json, sbomcomparator.xml) both in the test directory into an ouptut.xml bom file.

    ./combine.sh -f1 ./test/sbomcommons.json -f2 ./test/sbomcomparator.xml -o output -f xml

In this example it wil combine all files (xml, and json) from the directory ./test into an output.xml (also in ./test) bom file. Settings the upper level SBOM metadata Component's group, name, and version.

    ./combine.sh -d ./test/ -o ./test/output -f xml -n SBOM -g com.lmco.efoss -v 2.0.3

API:

You can also pull in the API and run it inside your application.

    //sbomFiles is a list of strings that are the SBoms to combine.
    Bom combinedSbom = SBomCombiner.combineSBoms(sbomFiles);

License

licenses

About

Lockheed Martin developed utility to combine multiple CycloneDX SBOMs

cyclonedx.org/

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 99.3%
  • Shell 0.7%