🚀 Summary

SW360 currently allows importing SPDX/SBOM files and persists the changes immediately after upload.
Users do not have the ability to preview the expected impact of an import before data is written
to the database.

This can lead to:

• Duplicate components being created
• Unintended or conflicting license associations
• Partial or inconsistent imports due to validation failures
• Reduced transparency and user confidence

🛠️ Proposed Solution

Introduce an SPDX Import Dry-Run Mode that simulates the import process without persisting any
data and returns a detailed impact analysis.

A new REST endpoint should be added to perform a read-only import simulation using existing SPDX
parsing and validation logic.

Backend Requirements

• Add a new REST API endpoint for dry-run SPDX import
• Parse and validate SPDX files using existing import logic
• Detect and report:
  • Components that would be newly created
  • Components that already exist in SW360
  • License conflicts or mismatches
  • Invalid or unsupported SPDX entries
• Ensure no database writes are performed during dry-run

Impact Report

The dry-run endpoint should return a structured JSON response containing:

• newComponents
• existingComponents
• licenseConflicts
• warnings or validation errors

Example response structure:

{
  "newComponents": [],
  "existingComponents": [],
  "licenseConflicts": [],
  "warnings": []
}