git-pkgs 0.8.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e23d09227a873e67670fa403a6c81c4f93a301cfda036f62d8b02d4d7f1e0ce5
-  data.tar.gz: ae4c878fa0cca631cb5d0485ab4a5caa999300ba1afc564c6d23461527a487cf
+  metadata.gz: 3bd1b968e2bc7ed2d3ecbc8a750925afdea362ca1d0a01f6d69a6bf5aef58b02
+  data.tar.gz: 1deed6e6742a7977585c97db65fe13e649e4b5e3b6a0f9674f5352d977dc8fcf
 SHA512:
-  metadata.gz: 5a675b67669d345dc39419219adfe51d2c36b1167be446b7f1b937eab42b92c0d935ebd8102e534585760c5944de6059ac722818558090c504758fc4ca7d9388
-  data.tar.gz: 7cb84ae314e29ed3cbf0c360ddcd79f43174ce153fca35af476693a6f37a98c84e297b8b3bf3543150e546df2459e69fbcae371959cd4dac04d2aa7d139f1969
+  metadata.gz: 5d7ed904f5e7b3fc0b7a7054d596dfe59d1918f30d493ac5613cea125c41f9b38ab22daab2c84a5536b55030ca407334b01e6d0bd79bc828a371abfdccf5a16d
+  data.tar.gz: e1170c4c9eeb345730e9ab614536c6431f1c56ee9bafc8bdff111e7df3bf8f577149ba1f94a77787ace083ee401b2980978148f76e85d16c5a3a1101902a2a08

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 ## [Unreleased]
 
+## [0.9.0] - 2026-01-14
+
+- `git pkgs sbom` command to export dependencies as SPDX or CycloneDX
+- `git pkgs integrity` command to show and verify lockfile integrity hashes
+- Parse go.sum for Go module integrity hashes (no longer ignored)
+- Convert Go h1: hashes (base64) to hex for SBOM compatibility
+- `--drift` flag to detect packages with different hashes for the same version
+- Registry integrity comparison via ecosyste.ms API
+- Store integrity hashes from lockfiles in dependency_snapshots table
+- SBOM export includes supplier info from ecosyste.ms (owner/maintainer)
+- License commands use version-level license data when available
+- Store supplier_name and supplier_type on packages (schema v5, run `git pkgs upgrade`)
+- Update ecosystems-bibliothecary to ~> 15.3 (integrity extraction from lockfiles)
+- Update purl to >= 1.7.1 (ecosyste.ms API URL support)
+
 ## [0.8.0] - 2026-01-14
 
 - `git pkgs outdated` command to find dependencies with newer versions available in registries

data/Formula/git-pkgs.rb

@@ -1,8 +1,8 @@
 class GitPkgs < Formula
   desc "Track package dependencies across git history"
   homepage "https://github.com/andrew/git-pkgs"
-  url "https://github.com/andrew/git-pkgs/archive/refs/tags/v0.7.0.tar.gz"
-  sha256 "5c5aebf75e9570945b324777e5fa33cd5e35d31f6172c2415a4bd91db02477cc"
+  url "https://github.com/andrew/git-pkgs/archive/refs/tags/v0.8.0.tar.gz"
+  sha256 "b2e8ebfefc86fd137fb76225934c0fe2a1e01b2fcaac88a91f1134eecc4e9e71"
   license "AGPL-3.0"
 
   depends_on "cmake" => :build

data/README.md

@@ -322,6 +322,33 @@ Output formats: `text` (default), `json`, and `sarif`. SARIF integrates with Git
 
 Vulnerability data is cached locally and refreshed automatically when stale (>24h). Use `git pkgs vulns sync --refresh` to force an update. See [docs/vulns.md](docs/vulns.md) for full documentation.
 
+### Integrity verification
+
+Show SHA256 hashes from lockfiles. Modern lockfiles include checksums that verify package contents haven't been tampered with.
+
+```bash
+git pkgs integrity              # show hashes for current dependencies
+git pkgs integrity --drift      # detect same version with different hashes
+git pkgs integrity -f json      # JSON output
+git pkgs integrity --stateless  # no database needed
+```
+
+The `--drift` flag scans your history for packages where the same version has different integrity hashes, which could indicate a supply chain issue.
+
+### SBOM export
+
+Export dependencies as a Software Bill of Materials in CycloneDX or SPDX format:
+
+```bash
+git pkgs sbom                      # CycloneDX JSON (default)
+git pkgs sbom --type spdx          # SPDX JSON
+git pkgs sbom -f xml               # XML instead of JSON
+git pkgs sbom --name my-project    # custom project name
+git pkgs sbom --stateless          # no database needed
+```
+
+Includes package URLs (purls), versions, and licenses (fetched from registries). Use `--skip-enrichment` to omit license lookups.
+
 ### Diff between commits
 
 ```bash

data/lib/git/pkgs/analyzer.rb

@@ -141,7 +141,8 @@ module Git
               purl: generate_purl(result[:platform], dep[:name]),
               change_type: "added",
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
 
             key = [manifest_path, dep[:name]]
@@ -150,7 +151,8 @@ module Git
               kind: result[:kind],
               purl: generate_purl(result[:platform], dep[:name]),
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
           end
         end
@@ -179,7 +181,8 @@ module Git
               purl: generate_purl(after_result[:platform], name),
               change_type: "added",
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
 
             key = [manifest_path, name]
@@ -188,7 +191,8 @@ module Git
               kind: after_result[:kind],
               purl: generate_purl(after_result[:platform], name),
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
           end
 
@@ -202,7 +206,8 @@ module Git
               purl: generate_purl(before_result[:platform], name),
               change_type: "removed",
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
 
             key = [manifest_path, name]
@@ -223,7 +228,8 @@ module Git
                 change_type: "modified",
                 requirement: after_dep[:requirement],
                 previous_requirement: before_dep[:requirement],
-                dependency_type: after_dep[:type]
+                dependency_type: after_dep[:type],
+                integrity: after_dep[:integrity]
               }
 
               key = [manifest_path, name]
@@ -232,7 +238,8 @@ module Git
                 kind: after_result[:kind],
                 purl: generate_purl(after_result[:platform], name),
                 requirement: after_dep[:requirement],
-                dependency_type: after_dep[:type]
+                dependency_type: after_dep[:type],
+                integrity: after_dep[:integrity]
               }
             end
           end
@@ -252,7 +259,8 @@ module Git
               purl: generate_purl(result[:platform], dep[:name]),
               change_type: "removed",
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
 
             key = [manifest_path, dep[:name]]
@@ -329,7 +337,8 @@ module Git
               kind: result[:kind],
               purl: generate_purl(result[:platform], dep[:name]),
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
           end
         end

data/lib/git/pkgs/cli.rb

@@ -35,7 +35,9 @@ module Git
           "stats" => "Show dependency statistics",
           "stale" => "Show dependencies that haven't been updated",
           "outdated" => "Show packages with newer versions available",
-          "licenses" => "Show licenses for dependencies"
+          "licenses" => "Show licenses for dependencies",
+          "integrity" => "Show and verify lockfile integrity hashes",
+          "sbom" => "Export dependencies as SBOM (SPDX or CycloneDX)"
         },
         "Security" => {
           "vulns" => "Scan for known vulnerabilities"

data/lib/git/pkgs/commands/branch.rb

@@ -191,6 +191,7 @@ module Git
                     ecosystem: s[:ecosystem],
                     requirement: s[:requirement],
                     dependency_type: s[:dependency_type],
+                    integrity: s[:integrity],
                     created_at: now,
                     updated_at: now
                   }
@@ -266,7 +267,8 @@ module Git
                     name: name,
                     ecosystem: dep_info[:ecosystem],
                     requirement: dep_info[:requirement],
-                    dependency_type: dep_info[:dependency_type]
+                    dependency_type: dep_info[:dependency_type],
+                    integrity: dep_info[:integrity]
                   }
                 end
                 snapshots_stored += snapshot.size
@@ -286,7 +288,8 @@ module Git
                   name: name,
                   ecosystem: dep_info[:ecosystem],
                   requirement: dep_info[:requirement],
-                  dependency_type: dep_info[:dependency_type]
+                  dependency_type: dep_info[:dependency_type],
+                  integrity: dep_info[:integrity]
                 }
               end
               snapshots_stored += snapshot.size

data/lib/git/pkgs/commands/init.rb

@@ -125,6 +125,7 @@ module Git
                     purl: s[:purl],
                     requirement: s[:requirement],
                     dependency_type: s[:dependency_type],
+                    integrity: s[:integrity],
                     created_at: now,
                     updated_at: now
                   }
@@ -207,7 +208,8 @@ module Git
                     ecosystem: dep_info[:ecosystem],
                     purl: dep_info[:purl],
                     requirement: dep_info[:requirement],
-                    dependency_type: dep_info[:dependency_type]
+                    dependency_type: dep_info[:dependency_type],
+                    integrity: dep_info[:integrity]
                   }
                 end
                 snapshots_stored += snapshot.size
@@ -228,7 +230,8 @@ module Git
                   ecosystem: dep_info[:ecosystem],
                   purl: dep_info[:purl],
                   requirement: dep_info[:requirement],
-                  dependency_type: dep_info[:dependency_type]
+                  dependency_type: dep_info[:dependency_type],
+                  integrity: dep_info[:integrity]
                 }
               end
               snapshots_stored += snapshot.size

data/lib/git/pkgs/commands/integrity.rb

@@ -0,0 +1,288 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    module Commands
+      class Integrity
+        include Output
+
+        def self.description
+          "Show and verify lockfile integrity hashes"
+        end
+
+        def initialize(args)
+          @args = args
+          @options = parse_options
+        end
+
+        def run
+          repo = Repository.new
+          use_stateless = @options[:stateless] || !Database.exists?(repo.git_dir)
+
+          if @options[:drift]
+            error "--drift requires database (run 'git pkgs init' first)" if use_stateless
+            run_drift_detection(repo)
+          else
+            run_show(repo, use_stateless)
+          end
+        end
+
+        def run_show(repo, use_stateless)
+          if use_stateless
+            deps = run_stateless(repo)
+          else
+            deps = run_with_database(repo)
+          end
+
+          # Filter to only lockfile deps with integrity
+          deps = Analyzer.lockfile_dependencies(deps)
+          deps = deps.select { |d| d[:integrity] }
+
+          if @options[:ecosystem]
+            deps = deps.select { |d| d[:ecosystem] == @options[:ecosystem] }
+          end
+
+          if deps.empty?
+            empty_result "No dependencies with integrity hashes found"
+            return
+          end
+
+          if @options[:format] == "json"
+            require "json"
+            puts JSON.pretty_generate(deps.map { |d| format_dep_json(d) })
+          else
+            paginate { output_text(deps) }
+          end
+        end
+
+        def run_stateless(repo)
+          commit_sha = @options[:ref] || repo.head_sha
+          rugged_commit = repo.lookup(repo.rev_parse(commit_sha))
+          error "Could not resolve '#{commit_sha}'" unless rugged_commit
+
+          analyzer = Analyzer.new(repo)
+          analyzer.dependencies_at_commit(rugged_commit)
+        end
+
+        def run_with_database(repo)
+          Database.connect(repo.git_dir)
+
+          commit_sha = @options[:ref] || repo.head_sha
+          target_commit = Models::Commit.first(sha: commit_sha)
+          error "Commit not in database. Run 'git pkgs update' first." unless target_commit
+
+          compute_dependencies_at_commit(target_commit, repo)
+        end
+
+        def run_drift_detection(repo)
+          Database.connect(repo.git_dir)
+
+          # Get unique (purl, requirement, integrity) from snapshots
+          results = Database.db[:dependency_snapshots]
+            .exclude(integrity: nil)
+            .select(:purl, :requirement, :integrity)
+            .distinct
+            .all
+
+          # Build versioned purls and group
+          by_versioned_purl = {}
+          results.each do |r|
+            versioned_purl = "#{r[:purl]}@#{r[:requirement]}"
+            by_versioned_purl[versioned_purl] ||= { purl: r[:purl], version: r[:requirement], lockfile_integrities: [] }
+            by_versioned_purl[versioned_purl][:lockfile_integrities] << r[:integrity]
+          end
+
+          # Dedupe lockfile integrities
+          by_versioned_purl.each { |_, v| v[:lockfile_integrities].uniq! }
+
+          # Find internal drift (same version with different lockfile hashes)
+          internal_drifts = by_versioned_purl.select { |_, v| v[:lockfile_integrities].size > 1 }
+
+          # Fetch registry integrity for comparison
+          registry_mismatches = []
+          purls_to_check = by_versioned_purl.keys
+
+          if purls_to_check.any?
+            Spinner.with_spinner("Fetching registry integrity...") do
+              client = EcosystemsClient.new
+              purls_to_check.each do |versioned_purl|
+                data = by_versioned_purl[versioned_purl]
+                version_info = client.lookup_version(versioned_purl)
+                next unless version_info && version_info["integrity"]
+
+                registry_integrity = version_info["integrity"]
+                lockfile_integrity = data[:lockfile_integrities].first
+
+                unless integrity_match?(lockfile_integrity, registry_integrity)
+                  registry_mismatches << {
+                    purl: versioned_purl,
+                    lockfile: lockfile_integrity,
+                    registry: registry_integrity
+                  }
+                end
+              end
+            end
+          end
+
+          if internal_drifts.empty? && registry_mismatches.empty?
+            info "No integrity drift detected"
+            return
+          end
+
+          if @options[:format] == "json"
+            require "json"
+            output = {
+              internal_drift: internal_drifts.map { |purl, v| { purl: purl, integrity_values: v[:lockfile_integrities] } },
+              registry_mismatch: registry_mismatches
+            }
+            puts JSON.pretty_generate(output)
+          else
+            paginate { output_drift_text(internal_drifts, registry_mismatches) }
+          end
+        end
+
+        def integrity_match?(lockfile, registry)
+          normalize_integrity(lockfile) == normalize_integrity(registry)
+        end
+
+        def normalize_integrity(integrity)
+          return nil unless integrity
+          # Normalize sha256= vs sha256- format
+          integrity.gsub(/^sha256[-=]/, "sha256:")
+        end
+
+        def output_text(deps)
+          grouped = deps.group_by { |d| d[:ecosystem] }
+
+          grouped.each do |ecosystem, ecosystem_deps|
+            puts "#{ecosystem}:"
+            ecosystem_deps.sort_by { |d| d[:name] }.each do |dep|
+              puts "  #{dep[:name]} #{dep[:requirement]}"
+              puts "    #{dep[:integrity]}"
+            end
+            puts
+          end
+        end
+
+        def output_drift_text(internal_drifts, registry_mismatches)
+          if internal_drifts.any?
+            puts Color.red("Internal drift (same version, different lockfile hashes):")
+            puts
+            internal_drifts.each do |purl, data|
+              puts "  #{purl}"
+              data[:lockfile_integrities].each do |integrity|
+                puts "    #{integrity}"
+              end
+              puts
+            end
+          end
+
+          if registry_mismatches.any?
+            puts Color.red("Registry mismatch (lockfile differs from registry):")
+            puts
+            registry_mismatches.each do |mismatch|
+              puts "  #{mismatch[:purl]}"
+              puts "    lockfile: #{mismatch[:lockfile]}"
+              puts "    registry: #{mismatch[:registry]}"
+              puts
+            end
+          end
+
+          total = internal_drifts.size + registry_mismatches.size
+          puts "#{total} integrity issue(s) found"
+        end
+
+        def format_dep_json(dep)
+          {
+            name: dep[:name],
+            version: dep[:requirement],
+            ecosystem: dep[:ecosystem],
+            purl: dep[:purl],
+            integrity: dep[:integrity],
+            manifest: dep[:manifest_path]
+          }
+        end
+
+        def compute_dependencies_at_commit(target_commit, repo)
+          branch_name = @options[:branch] || repo.default_branch
+          branch = Models::Branch.first(name: branch_name)
+          return [] unless branch
+
+          snapshot_commit = branch.commits_dataset
+            .join(:dependency_snapshots, commit_id: :id)
+            .where { Sequel[:commits][:committed_at] <= target_commit.committed_at }
+            .order(Sequel.desc(Sequel[:commits][:committed_at]))
+            .distinct
+            .first
+
+          deps = {}
+          if snapshot_commit
+            snapshot_commit.dependency_snapshots.each do |s|
+              key = [s.manifest.path, s.name]
+              deps[key] = {
+                manifest_path: s.manifest.path,
+                name: s.name,
+                ecosystem: s.ecosystem,
+                kind: s.manifest.kind,
+                manifest_kind: s.manifest.kind,
+                purl: s.purl,
+                requirement: s.requirement,
+                dependency_type: s.dependency_type,
+                integrity: s.integrity
+              }
+            end
+          end
+
+          deps.values
+        end
+
+        def parse_options
+          options = {}
+
+          parser = OptionParser.new do |opts|
+            opts.banner = "Usage: git pkgs integrity [options]"
+            opts.separator ""
+            opts.separator "Show integrity hashes from lockfiles. Hashes come from lockfile checksums"
+            opts.separator "(Gemfile.lock CHECKSUMS, package-lock.json integrity fields, etc.)"
+
+            opts.on("-r", "--ref=REF", "Git ref to check (default: HEAD)") do |v|
+              options[:ref] = v
+            end
+
+            opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v|
+              options[:ecosystem] = v
+            end
+
+            opts.on("-b", "--branch=NAME", "Branch context for database queries") do |v|
+              options[:branch] = v
+            end
+
+            opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v|
+              options[:format] = v
+            end
+
+            opts.on("--drift", "Detect packages with different hashes for same version") do
+              options[:drift] = true
+            end
+
+            opts.on("--stateless", "Parse manifests directly without database") do
+              options[:stateless] = true
+            end
+
+            opts.on("--no-pager", "Do not pipe output into a pager") do
+              options[:no_pager] = true
+            end
+
+            opts.on("-h", "--help", "Show this help") do
+              puts opts
+              exit
+            end
+          end
+
+          parser.parse!(@args)
+          options
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/commands/licenses.rb

@@ -118,9 +118,11 @@ module Git
           end
 
           packages = deps.map do |dep|
-            purl = PurlHelper.build_purl(ecosystem: dep[:ecosystem], name: dep[:name]).to_s
+            versioned_purl = PurlHelper.build_purl(ecosystem: dep[:ecosystem], name: dep[:name], version: dep[:requirement])
+            base_purl = PurlHelper.build_purl(ecosystem: dep[:ecosystem], name: dep[:name])
             {
-              purl: purl,
+              purl: versioned_purl.to_s,
+              base_purl: base_purl.to_s,
               name: dep[:name],
               ecosystem: dep[:ecosystem],
               version: dep[:requirement],
@@ -128,11 +130,9 @@ module Git
             }
           end.uniq { |p| p[:purl] }
 
-          enrich_packages(packages.map { |p| p[:purl] })
+          enrich_packages(packages)
 
           packages.each do |pkg|
-            db_pkg = Models::Package.first(purl: pkg[:purl])
-            pkg[:license] = db_pkg&.license
             pkg[:violation] = check_violation(pkg[:license])
           end
 
@@ -183,9 +183,14 @@ module Git
           license.downcase.include?(pattern.downcase)
         end
 
-        def enrich_packages(purls)
+        def enrich_packages(packages)
+          client = EcosystemsClient.new
+
+          # Enrich package-level data (license, latest version)
+          base_purls = packages.map { |p| p[:base_purl] }.uniq
+
           packages_by_purl = {}
-          purls.each do |purl|
+          base_purls.each do |purl|
             parsed = Purl::PackageURL.parse(purl)
             ecosystem = PurlHelper::ECOSYSTEM_TO_PURL_TYPE.invert[parsed.type] || parsed.type
             pkg = Models::Package.find_or_create_by_purl(
@@ -196,19 +201,52 @@ module Git
             packages_by_purl[purl] = pkg
           end
 
-          stale_purls = packages_by_purl.select { |_, pkg| pkg.needs_enrichment? }.keys
-          return if stale_purls.empty?
+          stale_pkg_purls = packages_by_purl.select { |_, pkg| pkg.needs_enrichment? }.keys
 
-          client = EcosystemsClient.new
-          begin
-            results = Spinner.with_spinner("Fetching package metadata...") do
-              client.bulk_lookup(stale_purls)
+          if stale_pkg_purls.any?
+            begin
+              results = Spinner.with_spinner("Fetching package metadata...") do
+                client.bulk_lookup(stale_pkg_purls)
+              end
+              results.each do |purl, data|
+                packages_by_purl[purl]&.enrich_from_api(data)
+              end
+            rescue EcosystemsClient::ApiError => e
+              $stderr.puts "Warning: Could not fetch package data: #{e.message}" unless Git::Pkgs.quiet
             end
-            results.each do |purl, data|
-              packages_by_purl[purl]&.enrich_from_api(data)
+          end
+
+          # Enrich version-level data (license, integrity, published_at)
+          versions_by_purl = {}
+          packages.each do |pkg|
+            version = Models::Version.find_or_create_by_purl(
+              purl: pkg[:purl],
+              package_purl: pkg[:base_purl]
+            )
+            versions_by_purl[pkg[:purl]] = version
+          end
+
+          stale_version_purls = versions_by_purl.select { |_, v| v.needs_enrichment? }.keys
+
+          if stale_version_purls.any?
+            begin
+              Spinner.with_spinner("Fetching version metadata...") do
+                stale_version_purls.each do |purl|
+                  data = client.lookup_version(purl)
+                  versions_by_purl[purl]&.enrich_from_api(data) if data
+                end
+              end
+            rescue EcosystemsClient::ApiError => e
+              $stderr.puts "Warning: Could not fetch version data: #{e.message}" unless Git::Pkgs.quiet
             end
-          rescue EcosystemsClient::ApiError => e
-            $stderr.puts "Warning: Could not fetch package data: #{e.message}" unless Git::Pkgs.quiet
+          end
+
+          # Apply enriched data to packages - version license takes priority
+          packages.each do |pkg|
+            db_pkg = packages_by_purl[pkg[:base_purl]]
+            db_version = versions_by_purl[pkg[:purl]]
+
+            pkg[:license] = db_version&.license || db_pkg&.license
           end
         end
 

data/lib/git/pkgs/commands/sbom.rb

@@ -0,0 +1,325 @@
+# frozen_string_literal: true
+
+require "optparse"
+require "sbom"
+
+module Git
+  module Pkgs
+    module Commands
+      class Sbom
+        include Output
+
+        def self.description
+          "Export dependencies as SBOM (SPDX or CycloneDX)"
+        end
+
+        def initialize(args)
+          @args = args.dup
+          @options = parse_options
+        end
+
+        def run
+          repo = Repository.new
+          use_stateless = @options[:stateless] || !Database.exists?(repo.git_dir)
+
+          if use_stateless
+            Database.connect_memory
+            deps = get_dependencies_stateless(repo)
+          else
+            Database.connect(repo.git_dir)
+            deps = get_dependencies_with_database(repo)
+          end
+
+          if deps.empty?
+            empty_result "No dependencies found"
+            return
+          end
+
+          if @options[:ecosystem]
+            deps = deps.select { |d| d[:ecosystem].downcase == @options[:ecosystem].downcase }
+          end
+
+          deps = Analyzer.pair_manifests_with_lockfiles(deps)
+
+          if deps.empty?
+            empty_result "No dependencies found"
+            return
+          end
+
+          packages = build_packages(deps)
+          enrich_packages(packages) unless @options[:skip_enrichment]
+
+          output_sbom(repo, packages)
+        end
+
+        def build_packages(deps)
+          deps.map do |dep|
+            purl = PurlHelper.build_purl(ecosystem: dep[:ecosystem], name: dep[:name], version: dep[:requirement])
+            {
+              purl: purl.to_s,
+              name: dep[:name],
+              ecosystem: dep[:ecosystem],
+              version: dep[:requirement],
+              integrity: dep[:integrity]
+            }
+          end.uniq { |p| p[:purl] }
+        end
+
+        def enrich_packages(packages)
+          client = EcosystemsClient.new
+
+          # Enrich package-level data (license, latest version)
+          base_purls = packages.map { |p| PurlHelper.build_purl(ecosystem: p[:ecosystem], name: p[:name]).to_s }
+
+          packages_by_purl = {}
+          base_purls.each do |purl|
+            parsed = Purl::PackageURL.parse(purl)
+            ecosystem = PurlHelper::ECOSYSTEM_TO_PURL_TYPE.invert[parsed.type] || parsed.type
+            pkg = Models::Package.find_or_create_by_purl(
+              purl: purl,
+              ecosystem: ecosystem,
+              name: parsed.name
+            )
+            packages_by_purl[purl] = pkg
+          end
+
+          stale_pkg_purls = packages_by_purl.select { |_, pkg| pkg.needs_enrichment? }.keys
+
+          if stale_pkg_purls.any?
+            begin
+              results = Spinner.with_spinner("Fetching package metadata...") do
+                client.bulk_lookup(stale_pkg_purls)
+              end
+              results.each do |purl, data|
+                packages_by_purl[purl]&.enrich_from_api(data)
+              end
+            rescue EcosystemsClient::ApiError => e
+              $stderr.puts "Warning: Could not fetch package data: #{e.message}" unless Git::Pkgs.quiet
+            end
+          end
+
+          # Enrich version-level data (integrity, published_at)
+          versions_by_purl = {}
+          packages.each do |pkg|
+            base_purl = PurlHelper.build_purl(ecosystem: pkg[:ecosystem], name: pkg[:name]).to_s
+            version = Models::Version.find_or_create_by_purl(
+              purl: pkg[:purl],
+              package_purl: base_purl
+            )
+            versions_by_purl[pkg[:purl]] = version
+          end
+
+          stale_version_purls = versions_by_purl.select { |_, v| v.needs_enrichment? }.keys
+
+          if stale_version_purls.any?
+            begin
+              Spinner.with_spinner("Fetching version metadata...") do
+                stale_version_purls.each do |purl|
+                  data = client.lookup_version(purl)
+                  versions_by_purl[purl]&.enrich_from_api(data) if data
+                end
+              end
+            rescue EcosystemsClient::ApiError => e
+              $stderr.puts "Warning: Could not fetch version data: #{e.message}" unless Git::Pkgs.quiet
+            end
+          end
+
+          # Apply enriched data to packages
+          packages.each do |pkg|
+            base_purl = PurlHelper.build_purl(ecosystem: pkg[:ecosystem], name: pkg[:name]).to_s
+            db_pkg = packages_by_purl[base_purl]
+            db_version = versions_by_purl[pkg[:purl]]
+
+            pkg[:license] ||= db_version&.license || db_pkg&.license
+            pkg[:integrity] ||= db_version&.integrity
+            pkg[:supplier_name] ||= db_pkg&.supplier_name
+            pkg[:supplier_type] ||= db_pkg&.supplier_type
+          end
+        end
+
+        def output_sbom(repo, packages)
+          sbom_type = @options[:type]&.to_sym || :cyclonedx
+          format = @options[:format]&.to_sym || :json
+
+          generator = ::Sbom::Generator.new(sbom_type: sbom_type, format: format)
+
+          sbom_packages = packages.map do |pkg|
+            sbom_pkg = ::Sbom::Data::Package.new
+            sbom_pkg.name = pkg[:name]
+            sbom_pkg.version = pkg[:version]
+            sbom_pkg.purl = pkg[:purl]
+            sbom_pkg.license_concluded = pkg[:license] if pkg[:license]
+
+            if pkg[:supplier_name]
+              sbom_pkg.set_supplier(pkg[:supplier_type] || "organization", pkg[:supplier_name])
+            end
+
+            if pkg[:integrity]
+              algorithm, hash = parse_integrity(pkg[:integrity])
+              sbom_pkg.add_checksum(algorithm, hash) if algorithm && hash
+            end
+
+            sbom_pkg
+          end
+
+          project_name = @options[:name] || File.basename(repo.path)
+          generator.generate(project_name, { packages: sbom_packages })
+          puts generator.output
+        end
+
+        def parse_integrity(integrity)
+          return nil unless integrity
+
+          case integrity
+          when /^sha256[-:=](.+)$/i
+            ["SHA256", $1]
+          when /^sha512[-:=](.+)$/i
+            ["SHA512", $1]
+          when /^sha1[-:=](.+)$/i
+            ["SHA1", $1]
+          when /^md5[-:=](.+)$/i
+            ["MD5", $1]
+          when /^h1:(.+)$/
+            # Go modules use base64-encoded SHA256 in go.sum
+            # SPDX/CycloneDX require hex, so convert
+            require "base64"
+            hex = Base64.decode64($1).unpack1("H*")
+            ["SHA256", hex]
+          else
+            nil
+          end
+        end
+
+        def parse_options
+          options = {}
+
+          parser = OptionParser.new do |opts|
+            opts.banner = "Usage: git pkgs sbom [options]"
+            opts.separator ""
+            opts.separator "Export dependencies as SBOM (Software Bill of Materials)."
+            opts.separator ""
+            opts.separator "Options:"
+
+            opts.on("-t", "--type=TYPE", "SBOM type: cyclonedx (default) or spdx") do |v|
+              options[:type] = v.downcase
+            end
+
+            opts.on("-f", "--format=FORMAT", "Output format: json (default) or xml") do |v|
+              options[:format] = v.downcase
+            end
+
+            opts.on("-n", "--name=NAME", "Project name (default: repository directory name)") do |v|
+              options[:name] = v
+            end
+
+            opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v|
+              options[:ecosystem] = v
+            end
+
+            opts.on("-r", "--ref=REF", "Git ref to export (default: HEAD)") do |v|
+              options[:ref] = v
+            end
+
+            opts.on("--skip-enrichment", "Skip fetching license data from registries") do
+              options[:skip_enrichment] = true
+            end
+
+            opts.on("--stateless", "Parse manifests directly without database") do
+              options[:stateless] = true
+            end
+
+            opts.on("-h", "--help", "Show this help") do
+              puts opts
+              exit
+            end
+          end
+
+          parser.parse!(@args)
+          options
+        end
+
+        def get_dependencies_stateless(repo)
+          ref = @options[:ref] || "HEAD"
+          commit_sha = repo.rev_parse(ref)
+          rugged_commit = repo.lookup(commit_sha)
+
+          error "Could not resolve '#{ref}'" unless rugged_commit
+
+          analyzer = Analyzer.new(repo)
+          analyzer.dependencies_at_commit(rugged_commit)
+        end
+
+        def get_dependencies_with_database(repo)
+          ref = @options[:ref] || "HEAD"
+          commit_sha = repo.rev_parse(ref)
+          target_commit = Models::Commit.first(sha: commit_sha)
+
+          return get_dependencies_stateless(repo) unless target_commit
+
+          branch_name = repo.default_branch
+          branch = Models::Branch.first(name: branch_name)
+          return [] unless branch
+
+          compute_dependencies_at_commit(target_commit, branch)
+        end
+
+        def compute_dependencies_at_commit(target_commit, branch)
+          snapshot_commit = branch.commits_dataset
+            .join(:dependency_snapshots, commit_id: :id)
+            .where { Sequel[:commits][:committed_at] <= target_commit.committed_at }
+            .order(Sequel.desc(Sequel[:commits][:committed_at]))
+            .distinct
+            .first
+
+          deps = {}
+          if snapshot_commit
+            snapshot_commit.dependency_snapshots.each do |s|
+              key = [s.manifest.path, s.name]
+              deps[key] = {
+                manifest_path: s.manifest.path,
+                manifest_kind: s.manifest.kind,
+                name: s.name,
+                ecosystem: s.ecosystem,
+                requirement: s.requirement,
+                dependency_type: s.dependency_type,
+                integrity: s.integrity
+              }
+            end
+          end
+
+          if snapshot_commit && snapshot_commit.id != target_commit.id
+            commit_ids = branch.commits_dataset.select_map(Sequel[:commits][:id])
+            changes = Models::DependencyChange
+              .join(:commits, id: :commit_id)
+              .where(Sequel[:commits][:id] => commit_ids)
+              .where { Sequel[:commits][:committed_at] > snapshot_commit.committed_at }
+              .where { Sequel[:commits][:committed_at] <= target_commit.committed_at }
+              .order(Sequel[:commits][:committed_at])
+              .eager(:manifest)
+              .all
+
+            changes.each do |change|
+              key = [change.manifest.path, change.name]
+              case change.change_type
+              when "added", "modified"
+                deps[key] = {
+                  manifest_path: change.manifest.path,
+                  manifest_kind: change.manifest.kind,
+                  name: change.name,
+                  ecosystem: change.ecosystem,
+                  requirement: change.requirement,
+                  dependency_type: change.dependency_type,
+                  integrity: nil
+                }
+              when "removed"
+                deps.delete(key)
+              end
+            end
+          end
+
+          deps.values
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/commands/update.rb

@@ -43,7 +43,8 @@ module Git
                 ecosystem: s.ecosystem,
                 purl: s.purl,
                 requirement: s.requirement,
-                dependency_type: s.dependency_type
+                dependency_type: s.dependency_type,
+                integrity: s.integrity
               }
             end
           end
@@ -110,6 +111,7 @@ module Git
                     s.purl = dep_info[:purl]
                     s.requirement = dep_info[:requirement]
                     s.dependency_type = dep_info[:dependency_type]
+                    s.integrity = dep_info[:integrity]
                   end
                 end
               end

data/lib/git/pkgs/commands/vulns/praise.rb

@@ -68,6 +68,8 @@ module Git
             error "No analysis found for branch '#{branch_name}'. Run 'git pkgs init' first."
           end
 
+          ensure_vulns_synced
+
           # Get all unique packages from dependency changes
           packages = Models::DependencyChange
             .select(:ecosystem, :name)

data/lib/git/pkgs/config.rb

@@ -6,7 +6,7 @@ require "open3"
 module Git
   module Pkgs
     module Config
-      # File patterns ignored by default (SBOM formats not supported, go.sum is checksums only)
+      # File patterns ignored by default (SBOM formats duplicate info from actual lockfiles)
       DEFAULT_IGNORED_FILES = %w[
         cyclonedx.xml
         cyclonedx.json
@@ -14,7 +14,6 @@ module Git
         *.cdx.json
         *.spdx
         *.spdx.json
-        go.sum
       ].freeze
 
       def self.ignored_dirs

data/lib/git/pkgs/database.rb

@@ -15,7 +15,7 @@ module Git
   module Pkgs
     class Database
       DB_FILE = "pkgs.sqlite3"
-      SCHEMA_VERSION = 3
+      SCHEMA_VERSION = 5
 
       class << self
         attr_accessor :db
@@ -179,6 +179,7 @@ module Git
           String :purl
           String :requirement
           String :dependency_type
+          String :integrity, text: true
           DateTime :created_at
           DateTime :updated_at
         end
@@ -193,6 +194,8 @@ module Git
           String :description, text: true
           String :homepage
           String :repository_url
+          String :supplier_name
+          String :supplier_type
           String :source
           DateTime :enriched_at
           DateTime :vulns_synced_at
@@ -291,21 +294,12 @@ module Git
       def self.check_version!
         return unless needs_upgrade?
 
-        migrate!
-      end
-
-      def self.migrate!
         stored = stored_version || 0
-
-        # Migration from v1 to v2: add vuln tables
-        if stored < 2
-          migrate_to_v2!
-        end
-
-        set_version
-        refresh_models
+        raise SchemaVersionError, "Database schema is v#{stored}, expected v#{SCHEMA_VERSION}. Run 'git pkgs upgrade' to rebuild."
       end
 
+      # Legacy migration kept for reference, no longer used.
+      # All schema changes now require full rebuild via 'git pkgs upgrade'.
       def self.migrate_to_v2!
         @db.create_table?(:packages) do
           primary_key :id

data/lib/git/pkgs/ecosystems_client.rb

@@ -47,8 +47,54 @@ module Git
         results[purl]
       end
 
+      # Lookup a specific version by purl with version.
+      # Returns version-level data including integrity hash.
+      #
+      # @param purl [String] package URL with version (e.g., "pkg:gem/rake@13.3.1")
+      # @return [Hash, nil] version data or nil if not found
+      def lookup_version(purl)
+        parsed = Purl.parse(purl)
+        return nil unless parsed.version
+
+        url = parsed.ecosystems_version_api_url
+        return nil unless url
+
+        fetch_url(url)
+      rescue Purl::Error
+        nil
+      end
+
+      # Batch lookup versions by purl.
+      # Fetches each version individually (no batch API for versions).
+      #
+      # @param purls [Array<String>] array of versioned package URLs
+      # @return [Hash<String, Hash>] hash keyed by purl with version data
+      def bulk_lookup_versions(purls)
+        results = {}
+        purls.each do |purl|
+          data = lookup_version(purl)
+          results[purl] = data if data
+        end
+        results
+      end
+
       private
 
+      def fetch_url(url)
+        uri = URI(url)
+        request = Net::HTTP::Get.new(uri)
+        request["Accept"] = "application/json"
+        execute_request(uri, request)
+      end
+
+      def get(path)
+        uri = URI("#{API_BASE}#{path}")
+        request = Net::HTTP::Get.new(uri)
+        request["Accept"] = "application/json"
+
+        execute_request(uri, request)
+      end
+
       def post(path, payload)
         uri = URI("#{API_BASE}#{path}")
         request = Net::HTTP::Post.new(uri)

data/lib/git/pkgs/models/package.rb

@@ -56,16 +56,39 @@ module Git
 
         # Update package with data from ecosyste.ms API
         def enrich_from_api(data)
+          supplier_name, supplier_type = extract_supplier(data)
+
           update(
             latest_version: data["latest_release_number"],
             license: (data["normalized_licenses"] || []).first,
             description: data["description"],
             homepage: data["homepage"],
             repository_url: data["repository_url"],
+            supplier_name: supplier_name,
+            supplier_type: supplier_type,
             enriched_at: Time.now
           )
         end
 
+        # Extract supplier info from API response
+        # Prefers owner_record (org), falls back to first maintainer
+        def extract_supplier(data)
+          owner = data["owner_record"]
+          if owner && owner["name"]
+            type = owner["kind"] == "organization" ? "organization" : "person"
+            return [owner["name"], type]
+          end
+
+          maintainers = data["maintainers"]
+          if maintainers&.any?
+            first = maintainers.first
+            name = first["name"] || first["login"]
+            return [name, "person"] if name
+          end
+
+          [nil, nil]
+        end
+
         def vulnerabilities
           osv_ecosystem = Ecosystems.to_osv(ecosystem)
           return [] unless osv_ecosystem

data/lib/git/pkgs/models/version.rb

@@ -4,6 +4,8 @@ module Git
   module Pkgs
     module Models
       class Version < Sequel::Model
+        STALE_THRESHOLD = 86400 # 24 hours
+
         many_to_one :package, key: :package_purl, primary_key: :purl
 
         def parsed_purl
@@ -21,6 +23,33 @@ module Git
         def enriched?
           !enriched_at.nil?
         end
+
+        def needs_enrichment?
+          enriched_at.nil? || enriched_at < Time.now - STALE_THRESHOLD
+        end
+
+        def enrich_from_api(data)
+          licenses = data["licenses"]
+          license = case licenses
+                    when Array then licenses.first
+                    when String then licenses
+                    end
+          license ||= data["spdx_expression"]
+
+          update(
+            license: license,
+            integrity: data["integrity"],
+            published_at: data["published_at"] ? Time.parse(data["published_at"]) : nil,
+            enriched_at: Time.now
+          )
+        end
+
+        def self.find_or_create_by_purl(purl:, package_purl:)
+          existing = first(purl: purl)
+          return existing if existing
+
+          create(purl: purl, package_purl: package_purl)
+        end
       end
     end
   end

data/lib/git/pkgs/version.rb

@@ -2,6 +2,6 @@
 
 module Git
   module Pkgs
-    VERSION = "0.8.0"
+    VERSION = "0.9.0"
   end
 end

data/lib/git/pkgs.rb

@@ -49,12 +49,15 @@ require_relative "pkgs/commands/completions"
 require_relative "pkgs/commands/vulns"
 require_relative "pkgs/commands/outdated"
 require_relative "pkgs/commands/licenses"
+require_relative "pkgs/commands/integrity"
+require_relative "pkgs/commands/sbom"
 
 module Git
   module Pkgs
     class Error < StandardError; end
     class NotInitializedError < Error; end
     class NotInGitRepoError < Error; end
+    class SchemaVersionError < Error; end
 
     class << self
       attr_accessor :quiet, :git_dir, :work_tree, :db_path, :batch_size, :snapshot_interval, :threads

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: git-pkgs
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.9.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -57,14 +57,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '15.2'
+        version: '15.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '15.2'
+        version: '15.3'
 - !ruby/object:Gem::Dependency
   name: vers
   requirement: !ruby/object:Gem::Requirement
@@ -86,6 +86,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.7'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.7.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -93,6 +96,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.7'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: sarif-ruby
   requirement: !ruby/object:Gem::Requirement
@@ -107,6 +113,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: sbom
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A git subcommand for analyzing package/dependency usage in git repositories
   over time
 email:
@@ -137,10 +171,12 @@ files:
 - lib/git/pkgs/commands/hooks.rb
 - lib/git/pkgs/commands/info.rb
 - lib/git/pkgs/commands/init.rb
+- lib/git/pkgs/commands/integrity.rb
 - lib/git/pkgs/commands/licenses.rb
 - lib/git/pkgs/commands/list.rb
 - lib/git/pkgs/commands/log.rb
 - lib/git/pkgs/commands/outdated.rb
+- lib/git/pkgs/commands/sbom.rb
 - lib/git/pkgs/commands/schema.rb
 - lib/git/pkgs/commands/search.rb
 - lib/git/pkgs/commands/show.rb