trace-path command
Processes an SBOM and a package identifier and emits paths
from this package to the root. The textual outputs (text and ref)
are not considered stable and should not be parsed. The JSON output
is in json-lines format, whereby each line adheres to the
schema-download.json schema.
usage: debsbom trace-path [-h] [-t {cdx,spdx}] [--format {text,json,ref,dot}]
[--mode {shortest,all-shortest,all}]
[bomin] source
Positional Arguments
- bomin
sbom file(s) to process for ‘bomin’. Use ‘-’ to read from stdin
- source
source node (PURL)
Named Arguments
- -t, --sbom-type
Possible choices: cdx, spdx
SBOM type to process (default: auto-detect), required when reading from stdin
- --format
Possible choices: text, json, ref, dot
path output format (default: ‘text’)
Default:
'text'- --mode
Possible choices: shortest, all-shortest, all
Default:
'shortest'
JSON Output Schema
When the application is run with JSON output enabled (via the --json flag),
status messages are emitted as single-line JSON objects to standard output.
Each line represents a single path from the package to the root.
The schema for these JSON objects is as follows:
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://github.com/siemens/debsbom/blob/main/src/debsbom/schema/schema-trace-path.json",
"title": "Trace Path Result",
"description": "List of components on a path between a source and a destination component",
"type": "array",
"items": {
"type": "object",
"required": ["name", "ref"],
"properties": {
"name": {
"type": "string",
"description": "Name of the component"
},
"ref": {
"type": "string",
"description": "Reference identifier for the component"
},
"version": {
"type": ["string", "null"],
"description": "Version of the component"
},
"maintainer": {
"type": ["string", "null"],
"description": "Maintainer of the component"
},
"purl": {
"type": ["string", "null"],
"description": "Package URL of the component"
}
}
}
}