`merge` command

The merge command merges multiple SBOMs hierarchically. The most common use-case is combining multiple parts of a Debian-based Linux distribution, like a rootfs and a initrd.

The merged SBOM contains the root components/packages of the input SBOMs at the first dependency level. The following structure in two SBOMs

doc1-root
|- binary-dep1
|  |- source-dep1
|- binary-dep2

doc2-root
|- binary-dep3
|  |- source-dep3
|- binary-dep4

would turn into this:

merged-doc-root
|- doc1-root
|  |- binary-dep1
|  |  |- source-dep1
|  |- binary-dep2
|- doc2-root
|  |- binary-dep3
|  |  |- source-dep3
|  |- binary-dep4

Any duplicated components are identified solely by their PURL. If it is missing from a component/package, it can not be matched and is treated as a completely unique. If a component/package can be identified as identical, their contents are merged and their SBOM reference IDs in the merged document are combined too. The ID will be replaced with the one appearing first in the passed list of SBOMs. Any duplicate entries and dependencies are also removed.

Note

Only SBOMs of the same type can be merged. Specifying both SPDX and CDX SBOMs will cause an error.

Merge multiple SBOMs into a single one.

usage: debsbom merge [-h] [-o OUT] [--distro-name DISTRO_NAME]
                     [--distro-supplier DISTRO_SUPPLIER]
                     [--distro-version DISTRO_VERSION]
                     [--base-distro-vendor {debian,ubuntu}]
                     [--cdx-standard {default,standard-bom}]
                     [--spdx-namespace SPDX_NAMESPACE]
                     [--cdx-serialnumber CDX_SERIALNUMBER]
                     [--timestamp TIMESTAMP] [--validate] [-t {cdx,spdx}]
                     SBOM [SBOM ...]

Positional Arguments

SBOM: SBOMs to merge, pass ‘-’ to also read SBOMs from stdin

Named Arguments

-o, --out

filename for output (default: ‘merged’). Use ‘-’ to write to stdout

Default: 'merged'

--distro-name

distro name (default: ‘Debian’)

Default: 'Debian'

--distro-supplier

supplier for the root component

--distro-version

version for the root component

--base-distro-vendor

Possible choices: debian, ubuntu

vendor of debian distribution (debian or ubuntu)

Default: 'debian'

--cdx-standard

Possible choices: default, standard-bom

generate SBOM according to this spec (only for CDX)

Default: 'default'

--spdx-namespace

document namespace, must be a valid URI (only for SPDX)

--cdx-serialnumber

document serial number, must be a UUID in 8-4-4-4-12 format (only for CDX)

--timestamp

document timestamp in ISO 8601 format

--validate

validate generated SBOM (only for SPDX)

Default: False

-t, --sbom-type

Possible choices: cdx, spdx

expected SBOM type when reading SBOMs from stdin, required when reading from stdin

merge command

Positional Arguments

Named Arguments

`merge` command