sbom

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 11, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrNilDocument       = errors.New("sbom document is nil")
	ErrUnsupportedTarget = errors.New("unsupported sbom target")
	ErrUnsupportedFormat = errors.New("unsupported sbom format")
	ErrMalformedJSON     = errors.New("malformed sbom json")
)
View Source
var ErrNilGraph = errors.New("dependency graph is nil")

Functions

func MarshalDepGraphJSON

func MarshalDepGraphJSON(g *sdk.Graph, target Target, buildOpts BuildOptions, encodeOpts EncodeOptions) ([]byte, error)

MarshalDepGraphJSON converts a dependency graph directly into a target JSON SBOM.

func MarshalJSON

func MarshalJSON(doc *Document, target Target, opts EncodeOptions) ([]byte, error)

MarshalJSON renders the intermediate SBOM document to a target JSON format.

func ToGraph

func ToGraph(doc *Document) (*sdk.Graph, error)

ToGraph converts a neutral SBOM document back into a dependency graph.

func UnmarshalAutoJSON

func UnmarshalAutoJSON(data []byte) (*Document, Target, error)

UnmarshalAutoJSON parses a supported SBOM JSON payload without requiring the caller to preselect a target.

Types

type BuildOptions

type BuildOptions struct {
	DocumentName    string
	DocumentNS      string
	ToolName        string
	ToolNames       []string
	Created         time.Time
	RootComponentID string
	SerialNumber    string

	// Registry, when non-nil, supplies matching-stage enrichment (licenses,
	// vulnerabilities, CPEs, digests, EOL) resolved by PURL and folded onto
	// each component during projection.
	Registry *sdk.PackageRegistry
}

BuildOptions controls how a depgraph is projected into the intermediate SBOM model.

type Component

type Component struct {
	ID             string
	Name           string
	Version        string
	Scope          string
	PURL           string
	Ecosystem      string
	PackageManager string
	Type           string
	Copyright      string
	Licenses       []License

	// Matching-stage enrichment (populated when BuildOptions.Registry is set).
	CPEs            []string
	Digests         []Digest
	Vulnerabilities []Vulnerability
	EOL             *EOL
}

Component describes one package surfaced in the intermediate SBOM model.

func (Component) NameOrID

func (c Component) NameOrID() string

NameOrID returns the component name when present, otherwise its stable ID.

type Dependency

type Dependency struct {
	Ref       string
	DependsOn []string
}

Dependency describes one package relationship list in the intermediate SBOM model.

type Digest

type Digest struct {
	Algorithm string
	Value     string
}

Digest is a content digest (algorithm + hex value) carried on a component.

type Document

type Document struct {
	Name         string
	Namespace    string
	Tool         string
	Tools        []string
	Created      time.Time
	SerialNumber string

	Components   []Component
	Dependencies []Dependency
	Roots        []string
}

Document is an intermediate, format-agnostic SBOM representation.

func FromDepGraph

func FromDepGraph(g *sdk.Graph, opts BuildOptions) (*Document, error)

FromDepGraph builds a neutral SBOM document from a dependency DAG.

func UnmarshalJSON

func UnmarshalJSON(data []byte, target Target) (*Document, error)

UnmarshalJSON parses a target JSON SBOM into the intermediate document model.

func (*Document) CreatedOrNow

func (d *Document) CreatedOrNow() time.Time

CreatedOrNow returns the document timestamp in UTC, defaulting to the current time.

func (*Document) NameOrDefault

func (d *Document) NameOrDefault() string

NameOrDefault returns the document name or Bomly's default document name.

func (*Document) NamespaceOrDefault

func (d *Document) NamespaceOrDefault() string

NamespaceOrDefault returns the document namespace or a generated Bomly namespace.

func (*Document) ToolNamesOrDefault

func (d *Document) ToolNamesOrDefault() []string

ToolNamesOrDefault returns all producing tool labels, defaulting to Bomly's tool label.

func (*Document) ToolOrDefault

func (d *Document) ToolOrDefault() string

ToolOrDefault returns the producing tool name or Bomly's default tool label.

type EOL

type EOL struct {
	EOL           bool
	EOLDate       string
	Cycle         string
	LatestVersion string
}

EOL is a format-agnostic projection of end-of-life enrichment for a component.

type EncodeOptions

type EncodeOptions struct {
	Pretty bool
}

EncodeOptions controls JSON output formatting.

type License

type License struct {
	Value          string
	SPDXExpression string
	Type           string
}

License describes normalized license details captured from an SBOM component.

type Target

type Target string

Target identifies an SBOM wire format target.

const (
	TargetSPDX23JSON      Target = "spdx-2.3+json"
	TargetCycloneDX14JSON Target = "cyclonedx-1.4+json"
	TargetCycloneDX15JSON Target = "cyclonedx-1.5+json"
	TargetCycloneDX16JSON Target = "cyclonedx-1.6+json"
	TargetSyftJSON        Target = "syft+json"
)

func DetectJSONTarget

func DetectJSONTarget(data []byte) (Target, error)

DetectJSONTarget identifies the supported SBOM JSON format represented by data.

type Vulnerability

type Vulnerability struct {
	ID            string
	Source        string
	Severity      string
	Score         *float64
	Vector        string
	Method        string
	CWEs          []int
	FixedVersions []string
	Advisories    []string
	Description   string
}

Vulnerability is a format-agnostic projection of one matching-stage advisory affecting a component. Encoders map it to the format's native representation (CycloneDX vulnerabilities, SPDX SECURITY external references).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL