{"id":20801862,"url":"https://github.com/philips-software/spdxmerge","last_synced_at":"2025-04-09T12:04:06.034Z","repository":{"id":143629830,"uuid":"616411476","full_name":"philips-software/SPDXMerge","owner":"philips-software","description":"SPDX Merge tool","archived":false,"fork":false,"pushed_at":"2025-03-06T10:34:37.000Z","size":2225,"stargazers_count":42,"open_issues_count":12,"forks_count":7,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-02T11:03:49.838Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/philips-software.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-20T10:40:37.000Z","updated_at":"2025-03-30T13:23:56.000Z","dependencies_parsed_at":null,"dependency_job_id":"147c8887-9fd0-433f-b6c1-a421101c9fa2","html_url":"https://github.com/philips-software/SPDXMerge","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2FSPDXMerge","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2FSPDXMerge/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2FSPDXMerge/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-software%2FSPDXMerge/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/philips-software","download_url":"https://codeload.github.com/philips-software/SPDXMerge/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248036064,"owners_count":21037092,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-17T18:24:50.502Z","updated_at":"2025-04-09T12:04:05.992Z","avatar_url":"https://github.com/philips-software.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Tool for merging SPDX files  \n\nThis tool integrates multiple SPDX JSON formatted Software Bill of Materials (SBOMs) into a parent SBOM, either by consolidating all the contents into a single file or by creating references to multiple files.  \n\nThe tool works with SPDX 2.2 and SPDX 2.3 versions.  \n\n## Features  \n\nCombine multiple SPDX JSON/Tag value files into a single parent Software Bill of Materials (SBOM) in one of two ways:  \n\n- **Deep Merge** - Combines the contents of all SBOM files into a single comprehensive parent file, incorporating all the information about the package dependencies and their relationships.  \n- **Shallow Merge** - Generates a parent SBOM that references multiple SBOM files in the `externalDocumentRefs` section.  \n\n## How to use  \n\n### Manual Installation  \n\nSPDX Tools (`spdx-tools`) needs to be installed as a prerequisite for this application to work. It is listed in the `requirements.txt` file.  \nRun the following command to install all necessary dependencies:  \n\n```shell\npip install -r requirements.txt\n```  \n\nExecute the command with the required inputs:  \n\n```shell\n    python spdxmerge/SPDXMerge --docpath \u003cfolder path of the SBOMs to be merged\u003e\n                         --outpath \u003cfolder path where the merged file will be saved\u003e (optional)\n                         --name \u003cproduct name\u003e\n                         --version \u003cproduct version\u003e\n                         --mergetype \u003c0 for deep merge/1 for shallow merge\u003e\n                         --author \u003corganization or author name\u003e\n                         --email \u003corg/author email\u003e\n                         --docnamespace \u003cnamespace for SPDX document\u003e\n                         --filetype \u003cexpected SBOM file format for JSON/T for Tag value\u003e\n                         --rootdocpath \u003cexpects SBOM file in the docpath that should act as the root doc\u003e (optional)\n```  \n---\n\n### 🔹 **New Update: Version Input**  \nTo establish a unique **\"DESCRIBES\"** relationship in the SPDX document, a **root package** must be created.  \nFor this, we now require both **name** and **version** as input parameters.  \n\n---\n\n### 🔹 **New Update: Roothpath input**  \nTo establish a unique **\"DESCRIBES\"** relationship in the SPDX document, a **root document** can be specified.  \nFor this, we now introduce the **`--rootdocpath`** option to define the root document, ensuring proper validation and relationship mapping.\n\n#### Options\n- `--rootdocpath` (optional): Specifies the root SBoM document.\n\n#### Implementation Details\n- The tool scans the root document for a `DESCRIBES` relationship.\n- If found, the related SPDX element ID is used to establish the relationship.\n- If no such relationship is found, an error is raised.\n- The relationship is added to the master document.\n\n#### Error Handling\n- Raises an error if `--rootdocpath` is defined but the file is not found in the path.\n- Raises an error if the root document lacks a `DESCRIBES` relationship.\n---\n\n### GitHub Action  \n\n```yml\n  - name: Checkout project\n    uses: actions/checkout@v3\n  - name: Run SPDX Merge tool to merge spdx files \n    uses: philips-software/SPDXMerge@v0.2.0\n    with:\n      docpath: ${{github.workspace}}/Test \n      name: sample-sbom                   \n      version: 1.0.0                      \n      mergetype: 1                         \n      author: \"Kung Fury\"                  \n      email: \"kfury@example.com\"          \n      filetype: J                          \n      docnamespace: \"https://mycompany.example.com\"\n  - name: Check result\n    run: cat merged-SBoM.json\n```  \n\n---\n\n### Docker Image  \n\n```shell\ndocker run -it --rm \\\n  -v $(PWD):/code \\\n  -v $(PWD)/output/:/output \\\n  -e DOCPATH='/code' \\\n  -e OUTPATH='/output' \\\n  -e NAME='' \\\n  -e VERSION='' \\  \n  -e MERGETYPE='' \\\n  -e AUTHOR='' \\\n  -e EMAIL='' \\\n  -e DOCNAMESPACE='' \\\n  -e FILETYPE='' \\\n  -e ROOTPATH='' \\\n  docker.io/philipssoftware/spdxmerge:v0.2.0\n```  \n\n---\n\n## TODOs  \n\n- Option for Organization, Author tag in document creation  \n\n---\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fspdxmerge","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphilips-software%2Fspdxmerge","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-software%2Fspdxmerge/lists"}