download command

Processes a SBOM and downloads the referenced packages. If no SBOM is provided, it reads line separated entries (name version arch) from stdin to define what shall be downloaded.

usage: debsbom download [-h] [-t {cdx,spdx}] [--outdir OUTDIR] [--sources]
                        [--binaries]
                        [bomin]

Positional Arguments

bomin

sbom file to process. Use ‘-’ to read SBOM from stdin

Named Arguments

-t, --sbom-type

Possible choices: cdx, spdx

SBOM type to process (default: auto-detect)

--outdir

directory to store downloaded files

Default: 'downloads'

--sources

download source packages

Default: False

--binaries

download binary packages

Default: False

JSON Output Schema

When the application is run with JSON output enabled (via the --json flag), status messages are emitted as single-line JSON objects to standard output. Each line represents a distinct package download operation.

The schema for these JSON objects is as follows:

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://github.com/siemens/debsbom/blob/main/src/debsbom/schema/schema-download.json",
  "title": "Download Result",
  "description": "The result of a download operation including the status, package name, package version, file name and file path.",
  "type": "object",
  "properties": {
    "status": {
      "description": "The status of the download operation.",
      "enum": ["ok", "not_found", "checksum_mismatch"]
    },
    "package": {
      "type": "object",
      "description": "An object identifying the package.",
      "properties": {
        "name": {
          "type": "string",
          "description": "The name of the package."
        },
        "version": {
          "type": "string",
          "description": "The version of the package."
        },
        "purl": {
          "type": "string",
          "description": "The package url of the package."
        }
      },
      "required": ["name", "version", "purl"]
    },
    "filename": {
      "type": "string",
      "description": "The name of the processed file or an empty string if the package is unavailable."
    },
    "path": {
      "type": "string",
      "description": "The absolute path to the downloaded file on success."
    }
  },
  "required": ["status", "package"]
}

Fields

  • status: The status of the download operation. This field will contain one of the following predefined values from the DownloadStatus enum:

    • "ok": The file was either successfully downloaded or found in the cache, and the checksum was verified.

    • "checksum_mismatch": The downloaded file’s checksum did not match the expected value.

    • "not_found": The requested file or package could not be located.

  • package: An object identifying the package, including the name and the version as a string.

  • filename: The name of the processed file or an empty string if the package is unavailable.

  • path: The absolute path to the downloaded file or an empty string if nothing could be downloaded.