Tool to merge cyclonedx files (json/xml)
go install github.com/fnxpt/cyclonedx-merge@latest
docker run -v `pwd`/sbom/:/sbom/ fnxpt/cyclonedx-merge:latest --dir /sbom/ > output.json
Usage:
-bomref value
BOMRef of the merged parent component
-dir value
merges files in directory
-file value
merges file
-format value
output format - json/xml (default: json)
-group value
group of the merged parent component
-mode value
merge mode - normal/flat/smart (default: normal)
-name value
name of the merged parent component
-output value
output file (default: stdout)
-type value
type of the aggregator component
-version value
version of the merged parent component
Mode | Description | Example |
---|---|---|
Normal | This merge the sboms and keep the relationships, this may lead to wrong dependencies on the graph | SBOM1 has libA that depends on libB:1.0; SBOM2 has libA that depends on libB:2.0 Outcome: Merged SBOM will have libA that dependes on libB:1.0 and libB:2.0 |
Flat | This is merge the sboms and sets all relationships on the second level, this leads to a simplified version of the graph, losing most of the relationships | SBOM1 has libA that depends on libB:1.0 that dependends on libC SBOM2 has libA that depends on libB:2.0 that dependends on libC Outcome: Merged SBOM will have libA that depends on libB:1.0 and libC in main component of SBOM1 and libA that depends on libB:2.0 and libC in main component of SBOM2 |
Smart | To be implemented |
If ids
from both objects are the same we consider that the objects are equal and keep the first object.
Type | Ids | Comment |
---|---|---|
Annotations | BomRef | |
Components | BomRef | |
Compositions | BomRef | |
ExternalReferences | URL & Type | |
Properties | Name & Value | If different files have properties with the same name, its impossible to merge them |
Services | BomRef |