Lockheed Martin developed utility to combine multiple SBOMs
This application is used to combine two or more Software Bill Of Materials (SBOM) commonly known as SBoms or Boms into a single Bom. It uses the CycloneDx Schema, and can combine SBoms in either JSon or XML, and output either a JSon or XML Bom.
mvn clean package
To run as a standalone java application, you can look at the "example.sh" shell script for an example. You can also use the provided "combine.sh" script as a pass through to the jar. It assumes all the basic settings.
./combine.sh -h
usage: help -d, --dir <arg> (Optional) directory to get all SBoms from -f, --format <arg> (Optional) output file format, Valid values json, xml. Default is json -f1, --sbom1 <arg> (Optional) first SBom file -f2, --sbom2 <arg> (Optional) second SBom file -g, --group <arg> (Optional) group name for the upper level Component of the combined SBom -h, --help will print out the command line options. -n, --name <arg> (Optional) name of upper level component of the combined SBom -o, --output <arg> (Optional) output file name, default is combine.json or combine.xml -t, --type <arg> (Optional) Type of upper level component of the combined SBom. Valid types are APPLICATION, CONTAINER, DEVICE, FILE, FIRMWARE, FRAMEWORK, LIBRARY, or OPERATING_SYSTEM. Default value is CONTAINER. -v --version <arg> (Optional) Version of the upper level component of the combined SBom.
./combine.sh -d ./test -o ./test/output -f json
./combine.sh -f1 ./test/sbomcommons.json -f2 ./test/sbomcomparator.xml -o output -f xml
./combine.sh -d ./test/ -o ./test/output -f xml -n SBOM -g com.lmco.efoss -v 2.0.3
//sbomFiles is a list of strings that are the SBoms to combine. Bom combinedSbom = SBomCombiner.combineSBoms(sbomFiles);