sbommerge


Namesbommerge JSON
Version 0.2.0 PyPI version JSON
download
home_pagehttps://github.com/anthonyharrison/sbommerge
SummarySoftware Bill of Material (SBOM) merge tool
upload_time2023-07-24 17:51:43
maintainerAnthony Harrison
docs_urlNone
authorAnthony Harrison
requires_python>=3.7
licenseApache-2.0
keywords security tools sbom devsecops spdx cyclonedx
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            # SBOMMerge

SBOMMerge merges two Software Bill of Materials (SBOMs) documents together. It supports SBOMs created in both
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org) formats.

## Installation

To install use the following command:

`pip install sbommerge`

Alternatively, just clone the repo and install dependencies using the following command:

`pip install -U -r requirements.txt`

The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.

## Usage

```bash
usage: sbommerge [-h] [--sbom {auto,spdx,cyclonedx}] [-d] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V] FILE1 FILE2

SBOMMerge merges two Software Bill of Materials (SBOMs) documents together.

positional arguments:
  FILE1                 first SBOM file
  FILE2                 second SBOM file

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  --sbom {auto,spdx,cyclonedx}
                        specify type of sbom to merge (default: auto)

Output:
  -d, --debug           show debug information
  --format {tag,json,yaml}
                        specify format of generated sbom (default: tag)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)
```
						
## Operation

The `--sbom` option is used to specify the format of the SBOM files. The default is for the type and format of the SBOM to be
automatically detected based on the extension of the file name.

| SBOM Type | Version   | Extension      |Format         |
| --------- | --------- | ---------------|---------------|
| SPDX      | 2.3       | .spdx          | TagValue      |
| SPDX      | 2.3       | .spdx.json     | JSON          |
| SPDX      | 2.3       | .spdx.yml      | YAML          |
| SPDX      | 2.3       | .spdx.yaml     | YAML          |
| CycloneDX | 1.4       | .json          | JSON          |
| CycloneDX | 1.5       | .json          | JSON          |

Details of the formats for each of the supported SBOM formats are available for
[SPDX](https://spdx.dev/) and [CycloneDX](https://cyclonedx.org/).

For SPDX SBOM files, it is assumed that the name of a Package precedes the version information for the package.
Only modules with a package name and associated version information shall be processed.

The `--output-file` option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using `--output-file` option).

## Implementation Notes

The following design decisions have been made in processing the SBOM files:

1. Package data is merged if the package version matches. Otherwise separate packages will be created.

2. It is assumed that the SBOM is valid and contains syntactically valid data. Invalid files will be silently ignored.

3. A non-zero return value indicates that differences were detected.

## License

Licensed under the Apache 2.0 Licence.

## Limitations

This tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the SBOM data
which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool
are therefore reminded that they should assert the quality of any data which is provided to the tool.

## Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.

            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/anthonyharrison/sbommerge",
    "name": "sbommerge",
    "maintainer": "Anthony Harrison",
    "docs_url": null,
    "requires_python": ">=3.7",
    "maintainer_email": "anthony.p.harrison@gmail.com",
    "keywords": "security,tools,SBOM,DevSecOps,SPDX,CycloneDX",
    "author": "Anthony Harrison",
    "author_email": "anthony.p.harrison@gmail.com",
    "download_url": "",
    "platform": null,
    "description": "# SBOMMerge\n\nSBOMMerge merges two Software Bill of Materials (SBOMs) documents together. It supports SBOMs created in both\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org) formats.\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbommerge`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```bash\nusage: sbommerge [-h] [--sbom {auto,spdx,cyclonedx}] [-d] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V] FILE1 FILE2\n\nSBOMMerge merges two Software Bill of Materials (SBOMs) documents together.\n\npositional arguments:\n  FILE1                 first SBOM file\n  FILE2                 second SBOM file\n\noptions:\n  -h, --help            show this help message and exit\n  -V, --version         show program's version number and exit\n\nInput:\n  --sbom {auto,spdx,cyclonedx}\n                        specify type of sbom to merge (default: auto)\n\nOutput:\n  -d, --debug           show debug information\n  --format {tag,json,yaml}\n                        specify format of generated sbom (default: tag)\n  -o OUTPUT_FILE, --output-file OUTPUT_FILE\n                        output filename (default: output to stdout)\n```\n\t\t\t\t\t\t\n## Operation\n\nThe `--sbom` option is used to specify the format of the SBOM files. The default is for the type and format of the SBOM to be\nautomatically detected based on the extension of the file name.\n\n| SBOM Type | Version   | Extension      |Format         |\n| --------- | --------- | ---------------|---------------|\n| SPDX      | 2.3       | .spdx          | TagValue      |\n| SPDX      | 2.3       | .spdx.json     | JSON          |\n| SPDX      | 2.3       | .spdx.yml      | YAML          |\n| SPDX      | 2.3       | .spdx.yaml     | YAML          |\n| CycloneDX | 1.4       | .json          | JSON          |\n| CycloneDX | 1.5       | .json          | JSON          |\n\nDetails of the formats for each of the supported SBOM formats are available for\n[SPDX](https://spdx.dev/) and [CycloneDX](https://cyclonedx.org/).\n\nFor SPDX SBOM files, it is assumed that the name of a Package precedes the version information for the package.\nOnly modules with a package name and associated version information shall be processed.\n\nThe `--output-file` option is used to control the destination of the output generated by the tool. The\ndefault is to report to the console but can be stored in a file (specified using `--output-file` option).\n\n## Implementation Notes\n\nThe following design decisions have been made in processing the SBOM files:\n\n1. Package data is merged if the package version matches. Otherwise separate packages will be created.\n\n2. It is assumed that the SBOM is valid and contains syntactically valid data. Invalid files will be silently ignored.\n\n3. A non-zero return value indicates that differences were detected.\n\n## License\n\nLicensed under the Apache 2.0 Licence.\n\n## Limitations\n\nThis tool is meant to support software development and security audit functions. However the usefulness of the tool is dependent on the SBOM data\nwhich is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool\nare therefore reminded that they should assert the quality of any data which is provided to the tool.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
    "bugtrack_url": null,
    "license": "Apache-2.0",
    "summary": "Software Bill of Material (SBOM) merge tool",
    "version": "0.2.0",
    "project_urls": {
        "Homepage": "https://github.com/anthonyharrison/sbommerge"
    },
    "split_keywords": [
        "security",
        "tools",
        "sbom",
        "devsecops",
        "spdx",
        "cyclonedx"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "fe26015bb1c526a1a2f884cf4bf4a604e7fa39403480aaff7fddaf1c8daed647",
                "md5": "83249bd7120b5ba704d5c48b98d367fa",
                "sha256": "b75ae56d6b0464122e03cb7261276b8b87568407f8f83a9dc3bf28639ec60e12"
            },
            "downloads": -1,
            "filename": "sbommerge-0.2.0-py2.py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "83249bd7120b5ba704d5c48b98d367fa",
            "packagetype": "bdist_wheel",
            "python_version": "py2.py3",
            "requires_python": ">=3.7",
            "size": 25271,
            "upload_time": "2023-07-24T17:51:43",
            "upload_time_iso_8601": "2023-07-24T17:51:43.945175Z",
            "url": "https://files.pythonhosted.org/packages/fe/26/015bb1c526a1a2f884cf4bf4a604e7fa39403480aaff7fddaf1c8daed647/sbommerge-0.2.0-py2.py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2023-07-24 17:51:43",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "anthonyharrison",
    "github_project": "sbommerge",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": false,
    "requirements": [],
    "tox": true,
    "lcname": "sbommerge"
}
        
Elapsed time: 0.90095s