go install github.com/fnxpt/cyclonedx-merge@latest
docker run -v `pwd`/sbom/:/sbom/ fnxpt/cyclonedx-merge:latest --dir /sbom/ > output.json
Usage:
-bomref value
BOMRef of the merged parent component
-dir value
merges files in directory
-file value
merges file
-format value
output format - json/xml (default: json)
-group value
group of the merged parent component
-mode value
merge mode - normal/flat/smart (default: normal)
-name value
name of the merged parent component
-output value
output file (default: stdout)
-type value
type of the aggregator component
-version value
version of the merged parent component
| Mode | Description | Example |
|---|---|---|
| Normal | This merge the sboms and keep the relationships, this may lead to wrong dependencies on the graph | SBOM1 has libA that depends on libB:1.0; SBOM2 has libA that depends on libB:2.0 Outcome: Merged SBOM will have libA that dependes on libB:1.0 and libB:2.0 |
| Flat | This is merge the sboms and sets all relationships on the second level, this leads to a simplified version of the graph, losing most of the relationships | SBOM1 has libA that depends on libB:1.0 that dependends on libC SBOM2 has libA that depends on libB:2.0 that dependends on libC Outcome: Merged SBOM will have libA that depends on libB:1.0 and libC in main component of SBOM1 and libA that depends on libB:2.0 and libC in main component of SBOM2 |
| Smart | To be implemented |
If ids from both objects are the same we consider that the objects are equal and keep the first object.
| Type | Ids | Comment |
|---|---|---|
| Annotations | BomRef | |
| Components | BomRef | |
| Compositions | BomRef | |
| ExternalReferences | URL & Type | |
| Properties | Name & Value | If different files have properties with the same name, its impossible to merge them |
| Services | BomRef |