https://github.com/cyclonedx/sbom-combiner

Lockheed Martin developed utility to combine multiple CycloneDX SBOMs
https://github.com/cyclonedx/sbom-combiner

bill-of-materials bom cyclonedx owasp sbom software-bill-of-materials

Last synced: about 2 months ago
JSON representation

Lockheed Martin developed utility to combine multiple CycloneDX SBOMs

• Host: GitHub
• URL: https://github.com/cyclonedx/sbom-combiner
• Owner: CycloneDX
• License: other
• Created: 2021-05-20T15:44:32.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2023-01-16T13:13:06.000Z (over 2 years ago)
• Last Synced: 2023-04-10T18:32:04.722Z (about 2 years ago)
• Topics: bill-of-materials, bom, cyclonedx, owasp, sbom, software-bill-of-materials
• Language: Java
• Homepage: https://cyclonedx.org/
• Size: 1.1 MB
• Stars: 6
• Watchers: 3
• Forks: 3
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# sbom-combiner

Lockheed Martin developed utility to combine multiple SBOMs

This application is used to combine two or more Software Bill Of Materials (SBOM) commonly known as SBoms or Boms into a single Bom.

It uses the CycloneDx Schema, and can combine SBoms in either JSon or XML, and output either a JSon or XML Bom.  

## Prerequisites

- Open JDK11

- Apache Maven 3.6.3 or greater installed 

- (Recommended) java IDE Eclipse with Subclipse 4.3.0 plug-in

## Usage:

### Build artifact via maven.

### Maven Command

mvn clean package

### Run

To run as a standalone java application, you can look at the "example.sh" shell script for an example.

You can also use the provided "combine.sh" script as a pass through to the jar.  It assumes all the basic settings.

### Help is available.   


    ./combine.sh -h



### Help Output shows options for running the SBomCombiner application.


usage: help

    -d,     --dir       <arg>   (Optional) directory to get all SBoms from

    -f,     --format    <arg>   (Optional) output file format, Valid values json, xml.  Default is json

    -f1,    --sbom1     <arg>   (Optional) first SBom file

    -f2,    --sbom2     <arg>   (Optional) second SBom file

    -g,     --group     <arg>   (Optional) group name for the upper level Component of the combined SBom

    -h,     --help              will print out the command line options.

    -n,     --name      <arg>   (Optional) name of upper level component of the combined SBom

    -o,     --output    <arg>   (Optional) output file name, default is combine.json or combine.xml

    -t,     --type      <arg>   (Optional) Type of upper level component of the combined SBom.  Valid types are APPLICATION, CONTAINER, DEVICE, FILE, FIRMWARE, FRAMEWORK, LIBRARY, or OPERATING_SYSTEM.  Default value is CONTAINER.

    -v      --version   <arg>   (Optional) Version of the upper level component of the combined SBom.



### Running SBomCombiner. 

### In this example it wil combine all files (xml, and json) from the directory ./test into an output.json (also in ./test) bom file.


    ./combine.sh -d ./test -o ./test/output -f json



### In this example it will combine two files (sbomcommons.json, sbomcomparator.xml) both in the test directory into an ouptut.xml bom file.


    ./combine.sh -f1 ./test/sbomcommons.json -f2 ./test/sbomcomparator.xml -o output -f xml



### In this example it wil combine all files (xml, and json) from the directory ./test into an output.xml (also in ./test) bom file.  Settings the upper level SBOM metadata Component's group, name, and version.


    ./combine.sh -d ./test/ -o ./test/output -f xml -n SBOM -g com.lmco.efoss -v 2.0.3



## API:

### You can also pull in the API and run it inside your application.


    //sbomFiles is a list of strings that are the SBoms to combine.

    Bom combinedSbom = SBomCombiner.combineSBoms(sbomFiles);



## License

[licenses](./LICENSE)