# SBOMValidate
SBOMValidate is a free, open source tool to validate a SBOM (Software Bill of Materials) against the specifications for
[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).
It is intended to be used as part of a continuous integration system to ensure only valid SBOMs are processed.
## Installation
To install use the following command:
`pip install sbomvalidate`
Alternatively, just clone the repo and install dependencies using the following command:
`pip install -U -r requirements.txt`
The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
## Usage
```bash
usage: sbomvalidate [-h] [-i INPUT_FILE] [--debug] [-V]
SBOMvalidate validates a SBOM.
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
-i INPUT_FILE, --input-file INPUT_FILE
Name of SBOM file
--debug add debug information
```
## Operation
The `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to
the following filename conventions.
| SBOM | Format | Filename extension |
| --------- | --------- |--------------------|
| SPDX | TagValue | .spdx |
| SPDX | JSON | .spdx.json |
| SPDX | YAML | .spdx.yaml |
| SPDX | YAML | .spdx.yml |
| SPDX | XML | .spdx.xml |
| SPDX | RDF | .spdx.rdf |
| CycloneDX | JSON | .json |
| CycloneDX | XML | .xml |
For CycloneDX SBOMs, versions 1.3, 1.4. 1.5 and 1.6 are supported; for SPDX SBOMs, versions 2.2 and 2.3 are supported.
The `--debug` option is used to provide more information on the validation process. The default is for no information to be reported.
## Return Values
The return value indicates the validity of the SBOM
0 indicates that the SBOM has been validated
1 indicates that the SBOM failed to validate
Example usage
```bash
sbomvalidate -i <goodsbomfilename>
echo $?
0
sbomvalidate -i <badsbomfilename>
echo $?
1
```
## Licence
Licenced under the Apache 2.0 Licence.
## Limitations
The validation of SPDX SBOMs in RDF, TagValue and XML formats is limited to detecting the presence of key tags in the document.
## Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Raw data
{
"_id": null,
"home_page": "https://github.com/anthonyharrison/sbomvalidate",
"name": "sbomvalidate",
"maintainer": "Anthony Harrison",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "anthony.p.harrison@gmail.com",
"keywords": "security, tools, SBOM, DevSecOps, SPDX, CycloneDX",
"author": "Anthony Harrison",
"author_email": "anthony.p.harrison@gmail.com",
"download_url": null,
"platform": null,
"description": "# SBOMValidate\n\nSBOMValidate is a free, open source tool to validate a SBOM (Software Bill of Materials) against the specifications for\n[SPDX](https://www.spdx.org) and [CycloneDX](https://www.cyclonedx.org).\n\nIt is intended to be used as part of a continuous integration system to ensure only valid SBOMs are processed.\n\n## Installation\n\nTo install use the following command:\n\n`pip install sbomvalidate`\n\nAlternatively, just clone the repo and install dependencies using the following command:\n\n`pip install -U -r requirements.txt`\n\nThe tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially\nif you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which\nallows you to have all the dependencies for the tool set up in a single environment, or have different environments set\nup for testing using different versions of Python.\n\n## Usage\n\n```bash\nusage: sbomvalidate [-h] [-i INPUT_FILE] [--debug] [-V]\n\nSBOMvalidate validates a SBOM.\n\noptions:\n -h, --help show this help message and exit\n -V, --version show program's version number and exit\n\nInput:\n -i INPUT_FILE, --input-file INPUT_FILE\n Name of SBOM file\n --debug add debug information\n```\n\t\t\t\t\t\t\n## Operation\n\nThe `--input-file` option is used to specify the SBOM to be processed. The format of the SBOM is determined according to\nthe following filename conventions.\n\n| SBOM | Format | Filename extension |\n| --------- | --------- |--------------------|\n| SPDX | TagValue | .spdx |\n| SPDX | JSON | .spdx.json |\n| SPDX | YAML | .spdx.yaml |\n| SPDX | YAML | .spdx.yml |\n| SPDX | XML | .spdx.xml |\n| SPDX | RDF | .spdx.rdf |\n| CycloneDX | JSON | .json |\n| CycloneDX | XML | .xml |\n\nFor CycloneDX SBOMs, versions 1.3, 1.4. 1.5 and 1.6 are supported; for SPDX SBOMs, versions 2.2 and 2.3 are supported.\n\nThe `--debug` option is used to provide more information on the validation process. The default is for no information to be reported.\n\n## Return Values\n\nThe return value indicates the validity of the SBOM\n\n0 indicates that the SBOM has been validated\n1 indicates that the SBOM failed to validate\n\nExample usage\n\n```bash\nsbomvalidate -i <goodsbomfilename>\necho $?\n0\nsbomvalidate -i <badsbomfilename>\necho $?\n1\n```\n\n## Licence\n\nLicenced under the Apache 2.0 Licence.\n\n## Limitations\n\nThe validation of SPDX SBOMs in RDF, TagValue and XML formats is limited to detecting the presence of key tags in the document.\n\n## Feedback and Contributions\n\nBugs and feature requests can be made via GitHub Issues.\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "SBOM validator",
"version": "0.1.0",
"project_urls": {
"Homepage": "https://github.com/anthonyharrison/sbomvalidate"
},
"split_keywords": [
"security",
" tools",
" sbom",
" devsecops",
" spdx",
" cyclonedx"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "68983d1906d085b92c6aaa540310d1e606b1b325a88f89adff13de2a0cc69d25",
"md5": "cd1208c6f00546139f7066c16034012f",
"sha256": "0781855a46cc626008c124749ae3cf4922fcddf6eeab37b3f73560040db8a2e5"
},
"downloads": -1,
"filename": "sbomvalidate-0.1.0-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "cd1208c6f00546139f7066c16034012f",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": ">=3.7",
"size": 8598,
"upload_time": "2025-07-10T17:39:03",
"upload_time_iso_8601": "2025-07-10T17:39:03.504386Z",
"url": "https://files.pythonhosted.org/packages/68/98/3d1906d085b92c6aaa540310d1e606b1b325a88f89adff13de2a0cc69d25/sbomvalidate-0.1.0-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-10 17:39:03",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "anthonyharrison",
"github_project": "sbomvalidate",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "lib4sbom",
"specs": [
[
">=",
"0.8.7"
]
]
}
],
"tox": true,
"lcname": "sbomvalidate"
}
JSON
