debsbom delta
Synopsis
debsbom delta [-h] [-o OUT] [--distro-name DISTRO_NAME]
[--distro-supplier DISTRO_SUPPLIER]
[--distro-version DISTRO_VERSION]
[--distro-summary DISTRO_SUMMARY]
[--base-distro-vendor {debian,ubuntu}]
[--cdx-standard {default,standard-bom}]
[--spdx-namespace SPDX_NAMESPACE]
[--cdx-serialnumber CDX_SERIALNUMBER] [--timestamp TIMESTAMP]
[--add-meta-data key=value] [--validate] [-t {cdx,spdx}]
base_sbom target_sbom
Description
List components changed in target sbom
Compute the delta between base and target SBOMs, producing a new SBOM containing only additional components from the target.
The delta command compares two SBOMs and produces a new SBOM containing only the
components that are present in the target SBOM but not in the base (reference) SBOM.
The most common use-case is identifying new or added components between two builds, images, or distribution states (for example, comparing a previous release SBOM against a newer one), including filtering out already license-cleared components to generate an SBOM containing only components pending license clearance.
The comparison is directional:
Base SBOM – treated as the reference
Target SBOM – treated as the new or updated SBOM
Given the following structure:
Base SBOM
base-root
|- binary-dep1
| |- source-dep1
|- binary-dep2
Target SBOM
target-root
|- binary-dep1
| |- source-dep1
|- binary-dep2
|- binary-dep3
| |- source-dep3
Running delta would produce:
delta-doc-root
|- binary-dep3
| |- source-dep3
Components are considered the same if they share the same PURL (Package URL). Only components that are new in the target SBOM, along with their nested dependencies, are included in the resulting SBOM.
Options
Positional Arguments
- base_sbom
sbom file(s) to process for ‘base_sbom’. Use ‘-’ to read from stdin
- target_sbom
sbom file(s) to process for ‘target_sbom’. Use ‘-’ to read from stdin
Named Arguments
- -o='extras', --out='extras'
filename for output (default: ‘extras’). Use ‘-’ to write to stdout
- --distro-name='Debian'
distro name (default: ‘Debian’)
- --distro-supplier
supplier for the root component
- --distro-version
version for the root component
- --distro-summary
short description of distro component (single line)
- --base-distro-vendor='debian'
vendor of debian distribution (debian or ubuntu)
Possible choices: debian, ubuntu
- --cdx-standard='default'
generate SBOM according to this spec (only for CDX)
Possible choices: default, standard-bom
- --spdx-namespace
document namespace, must be a valid URI (only for SPDX)
- --cdx-serialnumber
document serial number, must be a UUID in 8-4-4-4-12 format (only for CDX)
- --timestamp
document timestamp in ISO 8601 format
- --add-meta-data
add arbitrary metadata properties to the SBOM
- --validate=False
validate generated SBOM (only for SPDX)
- -t, --sbom-type
SBOM type to process (default: auto-detect), required when reading from stdin
Possible choices: cdx, spdx
SEE ALSO
debsbom-generate(1)
DEBSBOM
Part of the debsbom(1) suite.