README
¶
sbomattr
A simple library and CLI tool to create an aggregated notice for one or more SBOMs (SPDX or CycloneDX).
Usage
Usage: sbomattr [OPTIONS] <file-or-directory>...
Create an aggregated notice for one or more SBOMs.
Arguments:
file-or-directory SBOM files or directories containing SBOM files
Options:
-v Verbose output (debug mode)
-version
Show version and exit
Why?
Provide clear attribution for software dependencies in a simple, verifiable format.
When distributing software (especially closed source), you could want to aggregate license information from multiple SBOMs into a single notice file. This tool does one thing well: combine SBOMs into unified attribution notices.
What is the URL Field?
The URL field is the quickest way to validate the package information for people who don't care about
the purl specification.
Canonical sources are preferred, but if one can't be identified, the purl will be used to generate a URL.
SPDX
SPDX SBOM will try and use the homepage field if it is present and not NOASSERTION/NONE.
The downloadLocation field is not used because it's often a tarball.
CycloneDX
CycloneDX SBOM will use the following externalReferences priority order to generate a URL:
websitedistributiondocumentationvcs
Supported Formats
- SPDX 2.3 (JSON)
- CycloneDX 1.4 (JSON)
- GitHub-wrapped SBOMs (JSON)
License
Documentation
¶
Overview ¶
Package sbomattr provides a high-level API for extracting attribution information from Software Bill of Materials (SBOM) files in SPDX and CycloneDX formats.
Supported formats:
- SPDX 2.3 (JSON)
- CycloneDX 1.4 (JSON)
- GitHub-wrapped SBOMs (JSON)
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Process ¶
func Process(ctx context.Context, data []byte, logger *slog.Logger) ([]attribution.Attribution, error)
Process processes a single SBOM file provided as a byte slice. It automatically detects the SBOM format (SPDX or CycloneDX), parses it, and extracts attribution information.
The context parameter can be used for cancellation. The logger parameter is optional; pass nil to disable logging.
Returns a slice of Attribution structs or an error if the SBOM cannot be processed.
func ProcessFiles ¶
func ProcessFiles(ctx context.Context, filenames []string, logger *slog.Logger) ([]attribution.Attribution, error)
ProcessFiles processes multiple SBOM files from the filesystem. It reads each file, processes the SBOM, aggregates the results, and deduplicates attributions based on Package URL (purl) or name if purl is not available.
The context parameter can be used for cancellation. The logger parameter is optional; pass nil to disable logging. Errors processing individual files are logged but do not stop processing of other files.
Returns the deduplicated attributions or an error if no valid attributions could be extracted.
Types ¶
This section is empty.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package attribution provides types and functions for working with attribution information.
|
Package attribution provides types and functions for working with attribution information. |
|
cmd
|
|
|
sbomattr
command
|
|
|
Package cyclonedxextract provides parsing and extraction functionality for CycloneDX SBOMs.
|
Package cyclonedxextract provides parsing and extraction functionality for CycloneDX SBOMs. |
|
Package format provides output formatters for attribution data.
|
Package format provides output formatters for attribution data. |
|
internal
|
|
|
sbom
Package sbom provides internal utilities for working with SBOM (Software Bill of Materials) formats.
|
Package sbom provides internal utilities for working with SBOM (Software Bill of Materials) formats. |
|
Package spdxextract provides parsing and extraction functionality for SPDX SBOMs.
|
Package spdxextract provides parsing and extraction functionality for SPDX SBOMs. |