https://github.com/shiftleftcyber/sbom-validator

A lightweight Go library for validating Software Bill of Materials (SBOM) against industry-standard specifications
https://github.com/shiftleftcyber/sbom-validator

bill-of-materials bom cyclonedx cyclonedx-sbom go-module golang sbom sbom-tool sbom-tools software-bill-of-materials spdx spdx-sbom supply-chain supply-chain-security vex

Last synced: 8 months ago
JSON representation

A lightweight Go library for validating Software Bill of Materials (SBOM) against industry-standard specifications

• Host: GitHub
• URL: https://github.com/shiftleftcyber/sbom-validator
• Owner: shiftleftcyber
• License: mit
• Created: 2025-03-04T01:12:52.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2025-03-04T11:48:12.000Z (over 1 year ago)
• Last Synced: 2025-03-04T12:29:05.120Z (over 1 year ago)
• Topics: bill-of-materials, bom, cyclonedx, cyclonedx-sbom, go-module, golang, sbom, sbom-tool, sbom-tools, software-bill-of-materials, spdx, spdx-sbom, supply-chain, supply-chain-security, vex
• Language: Go
• Homepage:
• Size: 303 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# ShiftSBOM Validator

[![Go Reference](https://pkg.go.dev/badge/github.com/shiftleftcyber/sbom-validator.svg)](https://pkg.go.dev/github.com/shiftleftcyber/sbom-validator)

[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)

[![Go Report Card](https://goreportcard.com/badge/github.com/shiftleftcyber/sbom-validator)](https://goreportcard.com/report/github.com/shiftleftcyber/sbom-validator)

![GitHub release (latest by date)](https://img.shields.io/github/v/release/shiftleftcyber/sbom-validator)

## Overview

**sbom-validator** is a Go library designed to validate

**Software Bill of Materials (SBOMs)** against the official

SBOM specifications. It ensures compliance with formats like

**CycloneDX** & **SPDX** and helps maintain software supply chain security.

## Features

✅ Detects SBOM type (e.g., CycloneDX, SPDX)

✅ Extracts SBOM version

✅ Validates SBOM against official schemas

✅ Provides detailed validation errors

## Installation

Use `go get` to install the package:

```sh

go get github.com/shiftleftcyber/sbom-validator

```

## Usage

```go

package main

import (

    "fmt"

    "log"

    "os"

    "github.com/shiftleftcyber/sbom-validator"

)

func main() {

    sbomPath := flag.String("file", "", "Path to the SBOM JSON file")

    flag.Parse()

    // Ensure the file path is provided

    if *sbomPath == "" {

        log.Fatal("Usage: go run main.go -file=")

    }

    // Read SBOM file

    jsonData, err := os.ReadFile(*sbomPath)

    if err != nil {

        log.Fatalf("Failed to read SBOM file: %v", err)

    }

    isValid, validationErrors, err := sbomvalidator.ValidateSBOMData(jsonData)

    if err != nil {

        log.Fatalf("Error during validation - %v", err)

    }

    if isValid {

        fmt.Println("SBOM is valid")

    } else {

        fmt.Printf("Validation failed! Showing up to %d errors:\n", 10)

        for i, errMsg := range validationErrors {

            if i >= 10 {

                fmt.Printf("...and %d more errors.\n", len(validationErrors)-10)

                break

            }

            fmt.Printf("- %s\n", errMsg)

        }

    }

}

```

## Running Tests

```sh

go test ./...

```

or you can use the included Makefile

```sh

make test

```

## License

This project is licensed under the MIT License.

## Contributing

Contributions are welcome! Please open an issue or submit a pull request.