Skip to content
This repository was archived by the owner on Feb 27, 2024. It is now read-only.

CycloneDX/sbom-combiner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.settings
.settings
 
 
logging
logging
 
 
src
src
 
 
test
test
 
 
.classpath
.classpath
 
 
.gitignore
.gitignore
 
 
.project
.project
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
compare.sh
compare.sh
 
 
example.sh
example.sh
 
 
htmlexample.png
htmlexample.png
 
 
pom.xml
pom.xml
 
 

Repository files navigation

sbom-combiner

Lockheed Martin developed utility to combine multiple SBOMs

This application is used to combine two or more Software Bill Of Materials (SBOM) commonly known as SBoms or Boms into a single Bom. It uses the CycloneDx Schema, and can combine SBoms in either JSon or XML, and output either a JSon or XML Bom.

Prerequisites

  • Open JDK11
  • Apache Maven 3.6.3 or greater installed
  • (Recommended) java IDE Eclipse with Subclipse 4.3.0 plug-in

Usage:

Build artifact via maven.

Maven Command

mvn clean package

Run

To run as a standalone java application, you can look at the "example.sh" shell script for an example. You can also use the provided "combine.sh" script as a pass through to the jar. It assumes all the basic settings.

Help is available.

    ./combine.sh -h

Help Output shows options for running the SBomCombiner application.

usage: help
    -d,     --dir       <arg>   (Optional) directory to get all SBoms from
    -f,     --format    <arg>   (Optional) output file format, Valid values json, xml.  Default is json
    -f1,    --sbom1     <arg>   (Optional) first SBom file
    -f2,    --sbom2     <arg>   (Optional) second SBom file
    -g,     --group     <arg>   (Optional) group name for the upper level Component of the combined SBom
    -h,     --help              will print out the command line options.
    -n,     --name      <arg>   (Optional) name of upper level component of the combined SBom
    -o,     --output    <arg>   (Optional) output file name, default is combine.json or combine.xml
    -t,     --type      <arg>   (Optional) Type of upper level component of the combined SBom.  Valid types are APPLICATION, CONTAINER, DEVICE, FILE, FIRMWARE, FRAMEWORK, LIBRARY, or OPERATING_SYSTEM.  Default value is CONTAINER.
    -v      --version   <arg>   (Optional) Version of the upper level component of the combined SBom.

Running SBomCombiner.

In this example it wil combine all files (xml, and json) from the directory ./test into an output.json (also in ./test) bom file.

    ./combine.sh -d ./test -o ./test/output -f json

In this example it will combine two files (sbomcommons.json, sbomcomparator.xml) both in the test directory into an ouptut.xml bom file.

    ./combine.sh -f1 ./test/sbomcommons.json -f2 ./test/sbomcomparator.xml -o output -f xml

In this example it wil combine all files (xml, and json) from the directory ./test into an output.xml (also in ./test) bom file. Settings the upper level SBOM metadata Component's group, name, and version.

    ./combine.sh -d ./test/ -o ./test/output -f xml -n SBOM -g com.lmco.efoss -v 2.0.3

API:

You can also pull in the API and run it inside your application.

    //sbomFiles is a list of strings that are the SBoms to combine.
    Bom combinedSbom = SBomCombiner.combineSBoms(sbomFiles);

License

licenses

About

Lockheed Martin developed utility to combine multiple CycloneDX SBOMs

cyclonedx.org/

Topics

owasp bom bill-of-materials software-bill-of-materials sbom cyclonedx

Resources

Readme

License

View license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

13 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Sponsor this project

Packages

No packages published

Contributors 2

  •  
  •  

Languages