@coderpatros Thanks for opening the issue. The use case is as follows...
Background
We are using multiple scan tools to produce SBOMs against the same source repos./artifacts in our automated CI pipelines each in its own parallel branc. Some of tools produce CycloneDX (various versions) or SPDX (typically 2.2 version).
Use Case (Normalization and comparison across tools)
Once all the independent "branches" complete we attempt to "normalize" output to CycloneDX for comparison (especially against our canonical tool which produces the most complete CDX output) to look for any discrepancies.
At that point, we do not need or intend to use any "reverse" transform to return to the original format and with the added metadata comparison becomes much more difficult (manually with hopes to automate with intelligent diff tools) with the thousands of meta-properties that record specific data transforms.
Proposal
It was my hope that the tool could easily add a flag to "turn off" these additional meta-properties at generation time so we did not have to strip them later (needing to write yet another utility to only strip the meta-properties) prior to normalization and comparison/diff. In addition, these properties grew the size of the CycloneDX output to quite a degree making them more imposing to inspection and storage (put, get). For example, we always run "transitive" for components listing/dep. graph and for our products this can mean tens of thousands of components.
@coderpatros Thanks for opening the issue. The use case is as follows...
Background We are using multiple scan tools to produce SBOMs against the same source repos./artifacts in our automated CI pipelines each in its own parallel branc. Some of tools produce CycloneDX (various versions) or SPDX (typically 2.2 version).
Use Case (Normalization and comparison across tools) Once all the independent "branches" complete we attempt to "normalize" output to CycloneDX for comparison (especially against our canonical tool which produces the most complete CDX output) to look for any discrepancies.
At that point, we do not need or intend to use any "reverse" transform to return to the original format and with the added metadata comparison becomes much more difficult (manually with hopes to automate with intelligent diff tools) with the thousands of meta-properties that record specific data transforms.
Proposal It was my hope that the tool could easily add a flag to "turn off" these additional meta-properties at generation time so we did not have to strip them later (needing to write yet another utility to only strip the meta-properties) prior to normalization and comparison/diff. In addition, these properties grew the size of the CycloneDX output to quite a degree making them more imposing to inspection and storage (put, get). For example, we always run "transitive" for components listing/dep. graph and for our products this can mean tens of thousands of components.