spdx / cdx2spdx

Utility that converts SBOM documents from CycloneDX to SPDX
Apache License 2.0
29 stars 9 forks source link

cdx2spdx

Prototype utility that converts SBOM documents from CycloneDX to SPDX.

Status

This code is still under development and may not be considered stable.

Usage

java -jar cdx2spdx-[version]-jar-with-dependencies.jar cyclonedx.json spdx.json

where cyclonedx.json is an existing CycloneDX JSON file and spdx.json is a file path to the resulting SPDX file generated from the CycloneDX file.

Although not tested, XML formats should work for CycloneDX and all supported SPDX files formats should work for the output file (e.g. tag/value, XLSX, XML, RDF/XML, YAML).

Dockerfile

You can also use the included Dockerfile to run this tool using the following build commands. Please note that the input file names are hardcoded as cyclonedx.json and spdx.json and should be changed according to the desired result.

docker build -t cdx2spdx .

docker run -v <directory where cyclonedx.json is located>:/cdx2spdx/sboms -it --rm cdx2spdx

Design and Implementation Notes

The mappings from CycloneDX to SPDX can be found in the SPDX-CycloneDX-Mapping Google Sheet.

SPDX properties highlighted in yellow do not map directly. SPDX properties higlighted in light orange map, but has some possible exceptions listed in the notes.

Any CycloneDX properties which do not map to an existing SPDX property is added as an Annotation with AnnotationType=OTHER and the comment using the following format:

MISSING_CDX_PROPERTY:<propertyname>=<propertyJSONvalue>

where <propertyname> is the CycloneDX property name and <propertyJSONvalue> is a JSON string representation of the property value.

CycloneDX Components are mapped to SPDX Packages in most cases. For the CycloneDX type file, if there are any properties which require a package (e.g. supplier, originator), the component is converted to an SPDX package with the packageFileName having the value of the component name. If a CycloneDX type file has no package properties, it is converted to an SPDX File. This is basically a Duck Typing approach to distinguish CycloneDX files which have distribution information consistent with an SPDX package from CycloneDX files which do not contain SPDX package level information.

Development

Contributing

Contributions are welcome. See the CONTRIBUTING.md file for more information.

Acknowledgements

This repository references and uses the CycloneDX Specification which is licensed under the Apache 2.0 license.