delta command

The delta command compares two SBOMs and produces a new SBOM containing only the components that are present in the target SBOM but not in the base (reference) SBOM.

The most common use-case is identifying new or added components between two builds, images, or distribution states (for example, comparing a previous release SBOM against a newer one), including filtering out already license-cleared components to generate an SBOM containing only components pending license clearance.

The comparison is directional:

  • Base SBOM – treated as the reference

  • Target SBOM – treated as the new or updated SBOM

Given the following structure:

Base SBOM

base-root
|- binary-dep1
|  |- source-dep1
|- binary-dep2

Target SBOM

target-root
|- binary-dep1
|  |- source-dep1
|- binary-dep2
|- binary-dep3
|  |- source-dep3

Running delta would produce:

delta-doc-root
|- binary-dep3
|  |- source-dep3

Components are considered the same if they share the same PURL (Package URL). Only components that are new in the target SBOM, along with their nested dependencies, are included in the resulting SBOM.

Note

Only SBOMs of the same type can be compared. Specifying both SPDX and CDX SBOMs will cause an error.

Compute the delta between base and target SBOMs, producing a new SBOM containing only additional components from the target.

usage: debsbom delta [-h] [-o OUT] [--distro-name DISTRO_NAME]
                     [--distro-supplier DISTRO_SUPPLIER]
                     [--distro-version DISTRO_VERSION]
                     [--distro-summary DISTRO_SUMMARY]
                     [--base-distro-vendor {debian,ubuntu}]
                     [--cdx-standard {default,standard-bom}]
                     [--spdx-namespace SPDX_NAMESPACE]
                     [--cdx-serialnumber CDX_SERIALNUMBER]
                     [--timestamp TIMESTAMP] [--add-meta-data key=value]
                     [--validate] [-t {cdx,spdx}]
                     base_sbom target_sbom

Positional Arguments

base_sbom

sbom file(s) to process for ‘base_sbom’. Use ‘-’ to read from stdin

target_sbom

sbom file(s) to process for ‘target_sbom’. Use ‘-’ to read from stdin

Named Arguments

-o, --out

filename for output (default: ‘extras’). Use ‘-’ to write to stdout

Default: 'extras'

--distro-name

distro name (default: ‘Debian’)

Default: 'Debian'

--distro-supplier

supplier for the root component

--distro-version

version for the root component

--distro-summary

short description of distro component (single line)

--base-distro-vendor

Possible choices: debian, ubuntu

vendor of debian distribution (debian or ubuntu)

Default: 'debian'

--cdx-standard

Possible choices: default, standard-bom

generate SBOM according to this spec (only for CDX)

Default: 'default'

--spdx-namespace

document namespace, must be a valid URI (only for SPDX)

--cdx-serialnumber

document serial number, must be a UUID in 8-4-4-4-12 format (only for CDX)

--timestamp

document timestamp in ISO 8601 format

--add-meta-data

add arbitrary metadata properties to the SBOM

--validate

validate generated SBOM (only for SPDX)

Default: False

-t, --sbom-type

Possible choices: cdx, spdx

SBOM type to process (default: auto-detect), required when reading from stdin