{"id":37182955,"url":"https://github.com/chainguard-dev/bomshell","last_synced_at":"2026-01-14T21:07:16.003Z","repository":{"id":174866101,"uuid":"650903735","full_name":"chainguard-dev/bomshell","owner":"chainguard-dev","description":"An SBOM query language and associated utilities","archived":true,"fork":false,"pushed_at":"2024-01-22T09:10:35.000Z","size":240,"stargazers_count":54,"open_issues_count":0,"forks_count":3,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-22T00:05:29.103Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-08T04:13:24.000Z","updated_at":"2024-09-13T21:21:30.000Z","dependencies_parsed_at":null,"dependency_job_id":"b6341327-9aee-4352-9327-6ae75b3208da","html_url":"https://github.com/chainguard-dev/bomshell","commit_stats":null,"previous_names":["chainguard-dev/bomshell"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/chainguard-dev/bomshell","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fbomshell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fbomshell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fbomshell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fbomshell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/bomshell/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fbomshell/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28434553,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T21:07:15.423Z","updated_at":"2026-01-14T21:07:15.976Z","avatar_url":"https://github.com/chainguard-dev.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# πŸ’£πŸš bomshell\n\nAn SBOM query language and associated utilities to work with data in any format.\n\n`bomshell` is a runtime environment designed to evaluate expressions, called \n_recipes_, that operate on the SBOM graph. bomshell recipes can extract,\nrearrange and remix data from SBOMs in any format, making SBOM composition a\nreality. \n\n### __⚠️ Experimental Notice ⚠️__\n\n`bomshell` is evolving rapidly but it should still be considered pre-release software. The language\nis still incomplete and changing constantly.\n\n## SBOM Querying and Remixing Examples\n\nIn essence, a bomshell invocation parses a set of SBOMs and executes a recipe.\nAt runrime, the preloaded SBOMs are accesible to the running program from the\nbomshell environment. For more details be sure to check out the \n[`bomshell` tutorial](tutorial/) and the \n[examples directory](examples/).\n\n### Extract Files and Packages from an SBOM\n\nThis example reads an SBOM, extracts its files and returns a new document \nwith no packages, only those files:\n\n```\nbomshell -e 'sbom.files().ToDocument()' mysbom.spdx.json\n```\n\nThis recipe the same but with nodes that are package data:\n\n```\nbomshell -e 'sbom.packages().ToDocument()' mysbom.spdx.json\n```\n\n### Multiformat Support\n\n`bomshell` can read any SBOM format (that `protobom` supports). By default,\noutput is written as SPDX 2.3 but it can also be rendered to any format:\n\n```\nbomshell --document-format=\"application/vnd.cyclonedx+json;version=1.4\" \\\n --execute 'sbom.packages().ToDocument()' mysbom.spdx.json\n```\n\nReading an SBOM into bomshell and writing it to another format essentially \nconverts it into another format:\n\n```\nbomshell --document-format=\"application/vnd.cyclonedx+json;version=1.4\" \\\n --execute 'sbom' mysbom.spdx.json\n```\n\n### Querying SBOM Data\n\nbomshell is still very young πŸ‘ΆπŸ½ but it already offers a few functions and methods\nto query SBOM data. The following example extracts all go packages from an SBOM:\n\n```\nbomshell -e 'sbom.NodesByPurlType(\"golang\")' mysbom.spdx.json \n```\n\nSpecific nodes can be looked up by ID too:\n\n```\nbomshell -e 'sbom.NodeByID(\"com.github.kubernetes-kubectl\")' mysbom.spdx.json\n```\n\n### SBOM Composition\n\nLoaded SBOMs are accessible through the `sbom[]` array. Nodes in\na document can be augmented or replaced. New graph sections can \nbe remixed into a point in a document graph.\n\nThe following recipe extracts the npm packages from one SBOM and \nremixes them as dependencies of a binary in the other:\n\n```\nbomshell -e 'sbom[0].RelateNodeListAtID(sbom[1].NodesByPurlType(\"npm\"), \"my-binary\", \"DEPENDS_ON)' \\\n --sbom=sbom1.spdx.json \\\n --sbom=sbom2.cdx.json \n```\n\nNote in the previous example that each SBOM is in a different format. Remixing\nfrom different makes `bomshell` a powerful tool to work with any SBOM, tools can specialize in what they do best and bomshell\ncan compose documents assembled from multiple sources of\ndata.\n\n## The `bomshell` Core\n\nbomshell recipes are written in CEL \n([Common Expression Language](https://github.com/google/cel-spec))\nmaking the runtime small and embeddable in other applications.\n\nThe backing library of Bomshell is \n[`protobom` the universal Software Bill of Materials I/O library ](https://github.com/bom-squad/protobom).\nThe bomshell runtime reads SBOMs and exposes the protobom\ndata graph to the CEL environment, emulating some methods and adding\nsome of its own.\n\nJust as its core components, bomshell is open source, released under the\nApache 2.0 license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fbomshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fbomshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fbomshell/lists"}