debsbom merge
Synopsis
debsbom merge [-h] [-o OUT] [--distro-name DISTRO_NAME]
[--distro-supplier DISTRO_SUPPLIER]
[--distro-version DISTRO_VERSION]
[--distro-summary DISTRO_SUMMARY]
[--base-distro-vendor {debian,ubuntu}]
[--cdx-standard {default,standard-bom}]
[--spdx-namespace SPDX_NAMESPACE]
[--cdx-serialnumber CDX_SERIALNUMBER] [--timestamp TIMESTAMP]
[--add-meta-data key=value] [--validate] [-t {cdx,spdx}]
[--omit-roots]
sboms [sboms ...]
Description
Merge multiple sboms
Merge multiple SBOMs into a single one.
The merge command merges multiple SBOMs hierarchically. The most common use-case is combining
multiple parts of a Debian-based Linux distribution, like a rootfs and a initrd.
The merged SBOM contains the root components/packages of the input SBOMs at the first dependency level. The following structure in two SBOMs
doc1-root
|- binary-dep1
| |- source-dep1
|- binary-dep2
doc2-root
|- binary-dep3
| |- source-dep3
|- binary-dep4
would turn into this:
merged-doc-root
|- doc1-root
| |- binary-dep1
| | |- source-dep1
| |- binary-dep2
|- doc2-root
| |- binary-dep3
| | |- source-dep3
| |- binary-dep4
Any duplicated components are identified solely by their PURL. If it is missing from a component/package, it can not be matched and is treated as a completely unique. If a component/package can be identified as identical, their contents are merged and their SBOM reference IDs in the merged document are combined too. The ID will be replaced with the one appearing first in the passed list of SBOMs. Any duplicate entries and dependencies are also removed.
Options
Positional Arguments
- sboms
sbom file(s) to process for ‘sboms’. Use ‘-’ to read from stdin
Named Arguments
- -o='merged', --out='merged'
filename for output (default: ‘merged’). Use ‘-’ to write to stdout
- --distro-name='Debian'
distro name (default: ‘Debian’)
- --distro-supplier
supplier for the root component
- --distro-version
version for the root component
- --distro-summary
short description of distro component (single line)
- --base-distro-vendor='debian'
vendor of debian distribution (debian or ubuntu)
Possible choices: debian, ubuntu
- --cdx-standard='default'
generate SBOM according to this spec (only for CDX)
Possible choices: default, standard-bom
- --spdx-namespace
document namespace, must be a valid URI (only for SPDX)
- --cdx-serialnumber
document serial number, must be a UUID in 8-4-4-4-12 format (only for CDX)
- --timestamp
document timestamp in ISO 8601 format
- --add-meta-data
add arbitrary metadata properties to the SBOM
- --validate=False
validate generated SBOM (only for SPDX)
- -t, --sbom-type
SBOM type to process (default: auto-detect), required when reading from stdin
Possible choices: cdx, spdx
- --omit-roots=False
omit root nodes when merging SBOMs, this will place all packages directly under a shared new root
SEE ALSO
debsbom-generate(1)
DEBSBOM
Part of the debsbom(1) suite.