# SBOMDiff
SBOMDiff is a tool to compare two Software Bill of Materials (SBOM) files and
reports the differences. It supports SBOMs created in both
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org) formats.
The following differences are detected:
- Package version changes
- Package license changes
- Package removed
- Package added
## Installation
To install use the following command:
`pip install sbomdiff`
Alternatively, just clone the repo and install dependencies using the following command:
`pip install -U -r requirements.txt`
The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
## Usage
```
usage: sbomdiff [-h] [--sbom {auto,spdx,cyclonedx}] [--exclude-license] [-d] [-o OUTPUT_FILE] [-f {text,json,yaml}] [-V] FILE1 FILE2
SBOMDiff compares two Software Bill of Materials and reports the differences.
positional arguments:
FILE1 first SBOM file
FILE2 second SBOM file
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
--sbom {auto,spdx,cyclonedx}
specify type of sbom to compare (default: auto)
--exclude-license suppress reporting differences in the license of components
Output:
-d, --debug show debug information
-o OUTPUT_FILE, --output-file OUTPUT_FILE
output filename (default: output to stdout)
-f {text,json,yaml}, --format {text,json,yaml}
specify format of output file (default: text)
```
## Operation
The `--sbom` option is used to specify the format of the SBOM files. The default is for the type and format of the SBOM to be
automatically detected based on the extension of the file name.
| SBOM Type | Version | Extension |Format |
| --------- | --------- | ---------------|---------------|
| SPDX | 2.3 | .spdx | TagValue |
| SPDX | 2.3 | .spdx.rdf | RDF |
| SPDX | 2.3 | .spdx.json | JSON |
| SPDX | 2.3 | .spdx.yml | YAML |
| SPDX | 2.3 | .spdx.yaml | YAML |
| SPDX | 2.3 | .spdx.xml | XML |
| CycloneDX | 1.4 | .xml | XML |
| CycloneDX | 1.4 | .json | JSON |
Details of the formats for each of the supported SBOM formats are available for
[SPDX](https://spdx.dev/) and [CycloneDX](https://cyclonedx.org/).
For SPDX SBOM files, it is assumed that the name of a Package precedes the version information for the package.
Only modules with a package name and associated version information shall be processed.
The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).
## Implementation Notes
The following design decisions have been made in processing the SBOM files:
1. The comparison only considers package names, package versions and licenses. Other differences are not detected.
2. It is assumed that the SBOM is valid and contains syntactically valid data. Invalid files will be silently ignored.
3. SBOMs which do not match the format of the SBOM to be processed when specified using the `--sbom` option is likely to result in incorrect differences being reported.
4. In SPDX format, the tool assumes that the name of a package is followed by the version and license of the package.
5. If there are multiple instances of a package included in the SBOM, only the first instance will be processed.
6. In CycloneDX format, if the _licenses_ section is not present for a component but the _evidence_ section is, the
license contained within the _evidence_ section shall be used.
7. If a license cannot be detected, the tool uses 'NOT FOUND' as the license to be used in the difference comparison.
8. A non-zero return value indicates that differences were detected.
## Sample Output
```
[LICENSE] glibc: License changed from GPL-2.0-only to (LGPL-2.0-only OR LicenseRef-3)
[LICENSE] Saxon: License changed from Apache-2.0 to MPL-1.0
[VERSION] rich: Version changed from 11.0.0 to 12.5.1
[REMOVED] colorama: Module removed (Version 0.4.4)
[VERSION] pygments: Version changed from 2.11.2 to 2.13.0
Summary
-------
Version changes: 2
License changes: 2
Removed packages: 1
New packages: 0
```
The following is an example of an output file in JSON format:
```json
{
"tool": {
"name": "sbomdiff",
"version": "0.4.2"
},
"file_1": "file1.json",
"file_2": "file2.spdx",
"differences": [
{
"package": "glibc",
"status": "change",
"license": {
"from": "GPL-2.0-only",
"to": "(LGPL-2.0-only OR LicenseRef-3)"
}
},
{
"package": "saxon",
"status": "change",
"license": {
"from": "Apache-2.0",
"to": "MPL-1.0"
}
},
{
"package": "rich",
"status": "change",
"version": {
"from": "11.0.0",
"to": "12.5.1"
},
},
{
"package": "colorama",
"status": "remove",
"version": {
"from": "0.4.4"
},
},
{
"package": "pygments",
"status": "change",
"version": {
"from": "11.0.0",
"to": "12.5.1"
},
}
],
"summary": {
"version_changes": "2",
"new_packages": "0"
"removed_packages": "1",
"license_changes": "2",
}
}
```
## License
Licensed under the Apache 2.0 License.
## Limitations
This tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the SBOM data
which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool
are therefore reminded that they should assert the quality of any data which is provided to the tool.
## Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Raw data
{
"_id": null,
"home_page": "https://github.com/anthonyharrison/sbomdiff",
"name": "sbomdiff",
"maintainer": "Anthony Harrison",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "anthony.p.harrison@gmail.com",
"keywords": "security, tools, SBOM, DevSecOps, SPDX, CycloneDX",
"author": "Anthony Harrison",
"author_email": "anthony.p.harrison@gmail.com",
"download_url": null,
"platform": null,
"description": "# SBOMDiff\n\nSBOMDiff is a tool to compare two Software Bill of Materials (SBOM) files and\nreports the differences. It supports SBOMs created in both\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org) formats.\n\nThe following differences are detected:\n\n- Package version changes\n- Package license changes\n- Package removed\n- Package added\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbomdiff`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```\nusage: sbomdiff [-h] [--sbom {auto,spdx,cyclonedx}] [--exclude-license] [-d] [-o OUTPUT_FILE] [-f {text,json,yaml}] [-V] FILE1 FILE2\n\nSBOMDiff compares two Software Bill of Materials and reports the differences.\n\npositional arguments:\n FILE1 first SBOM file\n FILE2 second SBOM file\n\noptions:\n -h, --help show this help message and exit\n -V, --version show program's version number and exit\n\nInput:\n --sbom {auto,spdx,cyclonedx}\n specify type of sbom to compare (default: auto)\n --exclude-license suppress reporting differences in the license of components\n\nOutput:\n -d, --debug show debug information\n -o OUTPUT_FILE, --output-file OUTPUT_FILE\n output filename (default: output to stdout)\n -f {text,json,yaml}, --format {text,json,yaml}\n specify format of output file (default: text)\n```\n\t\t\t\t\t\t\n## Operation\n\nThe `--sbom` option is used to specify the format of the SBOM files. The default is for the type and format of the SBOM to be\nautomatically detected based on the extension of the file name.\n\n| SBOM Type | Version | Extension |Format |\n| --------- | --------- | ---------------|---------------|\n| SPDX | 2.3 | .spdx | TagValue |\n| SPDX | 2.3 | .spdx.rdf | RDF |\n| SPDX | 2.3 | .spdx.json | JSON |\n| SPDX | 2.3 | .spdx.yml | YAML |\n| SPDX | 2.3 | .spdx.yaml | YAML |\n| SPDX | 2.3 | .spdx.xml | XML |\n| CycloneDX | 1.4 | .xml | XML |\n| CycloneDX | 1.4 | .json | JSON |\n\nDetails of the formats for each of the supported SBOM formats are available for\n[SPDX](https://spdx.dev/) and [CycloneDX](https://cyclonedx.org/).\n\nFor SPDX SBOM files, it is assumed that the name of a Package precedes the version information for the package.\nOnly modules with a package name and associated version information shall be processed.\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\n## Implementation Notes\n\nThe following design decisions have been made in processing the SBOM files:\n\n1. The comparison only considers package names, package versions and licenses. Other differences are not detected.\n\n2. It is assumed that the SBOM is valid and contains syntactically valid data. Invalid files will be silently ignored.\n\n3. SBOMs which do not match the format of the SBOM to be processed when specified using the `--sbom` option is likely to result in incorrect differences being reported.\n\n4. In SPDX format, the tool assumes that the name of a package is followed by the version and license of the package.\n\n5. If there are multiple instances of a package included in the SBOM, only the first instance will be processed.\n\n6. In CycloneDX format, if the _licenses_ section is not present for a component but the _evidence_ section is, the\nlicense contained within the _evidence_ section shall be used.\n\n7. If a license cannot be detected, the tool uses 'NOT FOUND' as the license to be used in the difference comparison.\n\n8. A non-zero return value indicates that differences were detected.\n\n## Sample Output\n\n```\n[LICENSE] glibc: License changed from GPL-2.0-only to (LGPL-2.0-only OR LicenseRef-3)\n[LICENSE] Saxon: License changed from Apache-2.0 to MPL-1.0\n[VERSION] rich: Version changed from 11.0.0 to 12.5.1\n[REMOVED] colorama: Module removed (Version 0.4.4)\n[VERSION] pygments: Version changed from 2.11.2 to 2.13.0\n\nSummary\n-------\nVersion changes: 2\nLicense changes: 2\nRemoved packages: 1\nNew packages: 0\n```\n\nThe following is an example of an output file in JSON format:\n\n```json\n{\n \"tool\": {\n \"name\": \"sbomdiff\",\n \"version\": \"0.4.2\"\n },\n \"file_1\": \"file1.json\",\n \"file_2\": \"file2.spdx\",\n \"differences\": [\n {\n \"package\": \"glibc\",\n \"status\": \"change\",\n \"license\": {\n \"from\": \"GPL-2.0-only\",\n \"to\": \"(LGPL-2.0-only OR LicenseRef-3)\"\n }\n },\n {\n \"package\": \"saxon\",\n \"status\": \"change\",\n \"license\": {\n \"from\": \"Apache-2.0\",\n \"to\": \"MPL-1.0\"\n }\n },\n {\n \"package\": \"rich\",\n \"status\": \"change\",\n \"version\": {\n \"from\": \"11.0.0\",\n \"to\": \"12.5.1\"\n },\n },\n {\n \"package\": \"colorama\",\n \"status\": \"remove\",\n \"version\": {\n \"from\": \"0.4.4\"\n },\n }, \n {\n \"package\": \"pygments\",\n \"status\": \"change\",\n \"version\": {\n \"from\": \"11.0.0\",\n \"to\": \"12.5.1\"\n },\n }\n ],\n \"summary\": {\n \"version_changes\": \"2\",\n \"new_packages\": \"0\"\n \"removed_packages\": \"1\",\n \"license_changes\": \"2\",\n }\n}\n```\n\n## License\n\nLicensed under the Apache 2.0 License.\n\n## Limitations\n\nThis tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the SBOM data\nwhich is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool\nare therefore reminded that they should assert the quality of any data which is provided to the tool.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Software Bill of Material (SBOM) difference tool",
"version": "0.5.3",
"project_urls": {
"Homepage": "https://github.com/anthonyharrison/sbomdiff"
},
"split_keywords": [
"security",
" tools",
" sbom",
" devsecops",
" spdx",
" cyclonedx"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "33281e3d0996fe732cf035a60d1e4d0df8dd8b0c72df2721aaab9dabe40f6267",
"md5": "55c22f288c69c99aa501488ab3e81c8b",
"sha256": "463901d6ee2b31546a02ad32bf5cf48f18e4f0b00bf9b1af5390827f149e5494"
},
"downloads": -1,
"filename": "sbomdiff-0.5.3-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "55c22f288c69c99aa501488ab3e81c8b",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": ">=3.7",
"size": 14368,
"upload_time": "2024-03-25T19:40:45",
"upload_time_iso_8601": "2024-03-25T19:40:45.357787Z",
"url": "https://files.pythonhosted.org/packages/33/28/1e3d0996fe732cf035a60d1e4d0df8dd8b0c72df2721aaab9dabe40f6267/sbomdiff-0.5.3-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-03-25 19:40:45",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "anthonyharrison",
"github_project": "sbomdiff",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "defusedxml",
"specs": []
},
{
"name": "pyyaml",
"specs": [
[
">=",
"5.4"
]
]
},
{
"name": "lib4sbom",
"specs": [
[
">=",
"0.4.0"
]
]
}
],
"tox": true,
"lcname": "sbomdiff"
}
JSON
