sbom 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5779ca3a21e46aa2032845504cda20229928dad1570d5de2a055ffe2a2dae8d
-  data.tar.gz: d57cc2a38620373ca402ca34322e0cfcb4d30bfa88b8a6791868c92f87b2393d
+  metadata.gz: '080bc0e7e22560d9779d7dc7914a6fd6d440dee48508da1db84d1c9d03fd3c5b'
+  data.tar.gz: 007f185f1ebc3a95bac42ca6419155e9a269bb0b98e1be5a478b6eab5f43e06c
 SHA512:
-  metadata.gz: 221caf4d995e38991fd6c720b00e662fe90ae7709b7032a35d6592848ce669e5245591ca66866b66b29b68326d78afc213ce5292815b4e0f18cce51dcbcf651d
-  data.tar.gz: 1a4e9340fda31c7fff6dddbfc12b912220a7aee701c4e3df860c41c00e26c6c5a7999727017bb7af201a09d5e505b8fd24a67d5188eef0b3450b1efdfbfc50e7
+  metadata.gz: e67dca4dfb55a94d8f55093938773389206f69d5765748323bed4672da6182d76e6d503bf96bda90bde6c721cabac9b21f061714de005fba6c4d4d25e874e4d5
+  data.tar.gz: fa270f7dad9214c3a15c1b1bad23d3982955bd262f4bdb332b6bf73f464ac9e846761f8ef01e4fb34058cbbe3253d80ee1f2c04460fa0e385754364acf75e1e9

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 ## [Unreleased]
 
+## [0.3.0] - 2025-12-23
+
+- Add `merge` command to CLI for combining multiple SBOMs into one
+- Add `Sbom.merge` and `Sbom.merge_files` library methods
+- Add `Sbom::Merger` class for merging SBOMs with configurable deduplication
+- Merge deduplicates packages by PURL by default, with option to keep all
+- Supports merging across formats (SPDX + CycloneDX)
+
+## [0.2.0] - 2025-12-14
+
+- Add `enrich` command to CLI for enriching SBOMs with data from ecosyste.ms
+- Add `Sbom.enrich` and `Sbom.enrich_file` library methods
+- Add `Sbom::Enricher` class for enriching packages with metadata and security advisories
+- Enrichment adds: description, homepage, download location, license, repository URL, registry URL, documentation URL, supplier info, and security advisories
+
 ## [0.1.0] - 2025-12-14
 
 - Initial release

data/CONTRIBUTING.md

@@ -0,0 +1,49 @@
+# Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/andrew/sbom.
+
+## Getting Started
+
+1. Fork the repository
+2. Clone your fork and set up the development environment:
+
+```bash
+git clone https://github.com/YOUR_USERNAME/sbom.git
+cd sbom
+bin/setup
+git submodule update --init --recursive
+```
+
+3. Run the tests to make sure everything works:
+
+```bash
+bundle exec rake test
+```
+
+## Making Changes
+
+1. Create a feature branch from `main`
+2. Make your changes
+3. Add tests for any new functionality
+4. Ensure all tests pass
+5. Submit a pull request
+
+## Code Style
+
+- Follow existing code conventions
+- Keep commits focused and atomic
+- Write clear commit messages
+
+## Running Tests
+
+```bash
+bundle exec rake test
+```
+
+## Reporting Bugs
+
+When reporting bugs, please include:
+- Ruby version
+- Steps to reproduce
+- Expected vs actual behavior
+- Sample SBOM files if relevant (sanitized of any sensitive data)

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Andrew Nesbitt
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -69,6 +69,39 @@ end
 Sbom::Validator.validate_file!("example.cdx.json")
 ```
 
+### Enriching SBOMs
+
+Enrich packages with metadata from [ecosyste.ms](https://ecosyste.ms):
+
+```ruby
+# Enrich an entire SBOM
+sbom = Sbom.parse_file("example.cdx.json")
+enriched = Sbom.enrich(sbom)
+
+# Or parse and enrich in one step
+enriched = Sbom.enrich_file("example.cdx.json")
+
+```
+
+Enrichment adds: description, homepage, download location, license, repository URL, registry URL, documentation URL, supplier info, and security advisories.
+
+### Merging SBOMs
+
+Combine multiple SBOMs into one:
+
+```ruby
+# Merge from files (dedupes by PURL by default)
+merged = Sbom.merge_files(["app1.cdx.json", "app2.spdx.json"])
+
+# Merge SBOM objects
+merged = Sbom.merge([sbom1, sbom2, sbom3])
+
+# Keep all packages without deduplication
+merged = Sbom.merge([sbom1, sbom2], dedupe: :none)
+```
+
+Merging works across formats. Packages are deduplicated by PURL by default. Relationships and licenses are also deduplicated.
+
 ### Building Packages
 
 The Package class provides an object interface for building package data:
@@ -118,6 +151,16 @@ sbom document outline example.cdx.json
 sbom document info example.spdx.json
 sbom document query example.cdx.json --package rails
 sbom document query example.cdx.json --license MIT
+
+# Enrich SBOM with ecosyste.ms data
+sbom enrich example.cdx.json
+sbom enrich example.cdx.json --output enriched.json
+cat example.cdx.json | sbom enrich -
+
+# Merge multiple SBOMs
+sbom merge app1.cdx.json app2.spdx.json --output merged.json
+sbom merge app1.json app2.json --no-dedupe
+sbom merge app1.json app2.json --type cyclonedx
 ```
 
 ## Supported Formats

data/SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.1.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it privately by emailing andrewnez@gmail.com.
+
+Please include:
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact
+- Any suggested fixes (optional)
+
+You can expect an initial response within 48 hours. We will work with you to understand and address the issue promptly.
+
+Please do not open public issues for security vulnerabilities.

data/exe/sbom

@@ -25,6 +25,10 @@ module Sbom
         validate_command
       when "convert"
         convert_command
+      when "enrich"
+        enrich_command
+      when "merge"
+        merge_command
       when "document"
         document_command
       when "version", "-v", "--version"
@@ -158,6 +162,85 @@ module Sbom
       abort "Conversion error: #{e.message}"
     end
 
+    def enrich_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom enrich <file> [options]"
+        opts.on("-t", "--type TYPE", "SBOM type (spdx, cyclonedx, auto)") { |v| @options[:type] = v.to_sym }
+        opts.on("-f", "--format FORMAT", "Output format (json, yaml)") { |v| @options[:format] = v }
+        opts.on("-o", "--output FILE", "Output file") { |v| @options[:output] = v }
+        opts.on("--advisories", "Include security advisories") { @options[:advisories] = true }
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      file = @args.shift
+      abort "Error: No file specified. Use '-' for stdin." unless file
+
+      sbom = if file == "-"
+               content = $stdin.read
+               Sbom::Parser.parse_string(content, sbom_type: @options[:type] || :auto)
+             else
+               Sbom::Parser.parse_file(file, sbom_type: @options[:type] || :auto)
+             end
+
+      enricher = Sbom::Enricher.new(sbom)
+      enriched = enricher.enrich
+
+      format = @options[:format] || "json"
+      output = case format
+               when "yaml"
+                 enriched.to_h.to_yaml
+               else
+                 JSON.pretty_generate(enriched.to_h)
+               end
+
+      if @options[:output]
+        File.write(@options[:output], output)
+        warn "Enriched SBOM written to #{@options[:output]}"
+        warn "Enrichment errors: #{enricher.errors.count}" if enricher.errors.any?
+      else
+        puts output
+      end
+
+      enricher.errors.each { |e| warn "Warning: #{e[:purl]} - #{e[:error]}" } if enricher.errors.any?
+    rescue Sbom::ParserError => e
+      abort "Error: #{e.message}"
+    end
+
+    def merge_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom merge <file1> <file2> [file3...] [options]"
+        opts.on("-t", "--type TYPE", "Output SBOM type (spdx, cyclonedx)") { |v| @options[:type] = v.to_sym }
+        opts.on("-f", "--format FORMAT", "Output format (json, yaml, tag)") { |v| @options[:format] = v.to_sym }
+        opts.on("-o", "--output FILE", "Output file") { |v| @options[:output] = v }
+        opts.on("--no-dedupe", "Keep all packages (don't dedupe by PURL)") { @options[:dedupe] = :none }
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      abort "Error: At least 2 files required" if @args.size < 2
+
+      dedupe = @options[:dedupe] || :purl
+      merged = Sbom::Merger.merge_files(@args, dedupe: dedupe)
+
+      output_type = @options[:type] || merged.sbom_type || :spdx
+      output_format = @options[:format] || :json
+
+      generator = Sbom::Generator.new(sbom_type: output_type, format: output_format)
+      generator.generate(merged.document&.dig(:name) || "Merged SBOM", merged.to_h)
+
+      output = generator.output
+
+      if @options[:output]
+        File.write(@options[:output], output)
+        puts "Merged SBOM written to #{@options[:output]}"
+      else
+        puts output
+      end
+    rescue Sbom::ParserError, Sbom::GeneratorError => e
+      abort "Error: #{e.message}"
+    end
+
     def document_command
       subcommand = @args.shift
 
@@ -329,6 +412,8 @@ module Sbom
           generate   Create a new SBOM
           validate   Validate SBOM against schema
           convert    Convert between SBOM formats
+          enrich     Enrich SBOM with data from ecosyste.ms
+          merge      Combine multiple SBOMs into one
           document   Work with SBOM documents
           version    Show version
 

data/lib/sbom/enricher.rb

@@ -0,0 +1,162 @@
+# frozen_string_literal: true
+
+module Sbom
+  class Enricher
+    attr_reader :sbom, :errors
+
+    def initialize(sbom)
+      @sbom = sbom
+      @errors = []
+    end
+
+    def enrich
+      @sbom.packages.each do |package|
+        enrich_package(package)
+      end
+      @sbom
+    end
+
+    def enrich_package(package)
+      purl_string = package[:purl] || find_purl_in_external_refs(package)
+      return unless purl_string
+
+      parsed = parse_purl(purl_string)
+      return unless parsed
+
+      lookup_data = fetch_lookup(parsed)
+      enrich_from_lookup(package, lookup_data) if lookup_data
+
+      advisories = fetch_advisories(parsed)
+      enrich_from_advisories(package, advisories) if advisories&.any?
+    rescue StandardError => e
+      @errors << { purl: purl_string, error: e.message }
+    end
+
+    def self.enrich(sbom)
+      new(sbom).enrich
+    end
+
+    def self.enrich_package(package)
+      purl_string = package[:purl] || find_purl_in_refs(package)
+      return package unless purl_string
+
+      parsed = Purl.parse(purl_string)
+      return package unless parsed
+
+      lookup_data = parsed.lookup
+      apply_lookup_enrichment(package, lookup_data) if lookup_data
+
+      advisories = parsed.advisories
+      apply_advisory_enrichment(package, advisories) if advisories&.any?
+
+      package
+    rescue StandardError
+      package
+    end
+
+    private
+
+    def find_purl_in_external_refs(package)
+      refs = package[:external_references] || []
+      refs.find { |_, type, _| type == "purl" }&.last
+    end
+
+    def self.find_purl_in_refs(package)
+      refs = package[:external_references] || []
+      refs.find { |_, type, _| type == "purl" }&.last
+    end
+
+    def parse_purl(purl_string)
+      Purl.parse(purl_string)
+    rescue Purl::InvalidPackageURL
+      @errors << { purl: purl_string, error: "Invalid PURL format" }
+      nil
+    end
+
+    def fetch_lookup(parsed_purl)
+      parsed_purl.lookup
+    rescue StandardError => e
+      @errors << { purl: parsed_purl.to_s, error: "Lookup failed: #{e.message}" }
+      nil
+    end
+
+    def fetch_advisories(parsed_purl)
+      parsed_purl.advisories
+    rescue StandardError => e
+      @errors << { purl: parsed_purl.to_s, error: "Advisories fetch failed: #{e.message}" }
+      []
+    end
+
+    def enrich_from_lookup(package, data)
+      self.class.apply_lookup_enrichment(package, data)
+    end
+
+    def enrich_from_advisories(package, advisories)
+      self.class.apply_advisory_enrichment(package, advisories)
+    end
+
+    def self.apply_lookup_enrichment(package, data)
+      pkg_data = data[:package] || {}
+      version_data = data[:version] || {}
+
+      package[:description] ||= pkg_data[:description]
+      package[:homepage] ||= pkg_data[:homepage]
+      package[:download_location] ||= version_data[:download_url]
+
+      if pkg_data[:licenses] && !package[:license_concluded]
+        package[:license_concluded] = pkg_data[:licenses]
+      end
+
+      package[:repository_url] ||= pkg_data[:repository_url]
+      package[:registry_url] ||= pkg_data[:registry_url]
+      package[:documentation_url] ||= pkg_data[:documentation_url]
+
+      if pkg_data[:maintainers]&.any? && !package[:supplier]
+        first_maintainer = pkg_data[:maintainers].first
+        package[:supplier] = first_maintainer[:login] if first_maintainer
+        package[:supplier_type] = "Organization"
+      end
+
+      if pkg_data[:keywords]&.any?
+        package[:tags] ||= []
+        package[:tags].concat(pkg_data[:keywords]).uniq!
+      end
+
+      package[:properties] ||= []
+      if pkg_data[:latest_version]
+        package[:properties] << ["ecosystems:latest_version", pkg_data[:latest_version]]
+      end
+      if pkg_data[:latest_version_published_at]
+        package[:properties] << ["ecosystems:latest_version_published_at", pkg_data[:latest_version_published_at]]
+      end
+      if pkg_data[:versions_count]
+        package[:properties] << ["ecosystems:versions_count", pkg_data[:versions_count].to_s]
+      end
+      if version_data[:published_at]
+        package[:properties] << ["ecosystems:version_published_at", version_data[:published_at]]
+      end
+
+      package
+    end
+
+    def self.apply_advisory_enrichment(package, advisories)
+      package[:advisories] ||= []
+
+      advisories.each do |advisory|
+        package[:advisories] << {
+          id: advisory[:id],
+          title: advisory[:title],
+          description: advisory[:description],
+          severity: advisory[:severity],
+          cvss_score: advisory[:cvss_score],
+          url: advisory[:url],
+          published_at: advisory[:published_at],
+          source: advisory[:source_kind],
+          references: advisory[:references]
+        }
+      end
+
+      package
+    end
+  end
+end

data/lib/sbom/merger.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+module Sbom
+  class Merger
+    attr_reader :sboms, :options, :result
+
+    def initialize(sboms, dedupe: :purl)
+      @sboms = sboms
+      @options = { dedupe: dedupe }
+      @result = nil
+    end
+
+    def merge
+      @result = Data::Sbom.new(sbom_type: determine_sbom_type)
+      @result.version = determine_version
+
+      build_document
+      merge_packages
+      merge_files
+      merge_relationships
+      merge_licenses
+      merge_annotations
+
+      @result
+    end
+
+    def determine_sbom_type
+      types = @sboms.map(&:sbom_type).uniq
+      return types.first if types.size == 1
+
+      :spdx
+    end
+
+    def determine_version
+      versions = @sboms.map(&:version).compact.uniq
+      versions.first
+    end
+
+    def build_document
+      names = @sboms.map { |s| s.document&.dig(:name) }.compact
+      merged_name = names.any? ? "Merged: #{names.join(', ')}" : "Merged SBOM"
+
+      @result.document = {
+        name: merged_name,
+        id: "SPDXRef-DOCUMENT",
+        created: Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+      }
+    end
+
+    def merge_packages
+      seen_purls = {}
+
+      @sboms.each do |sbom|
+        sbom.packages.each do |pkg|
+          if @options[:dedupe] == :purl && pkg[:purl]
+            next if seen_purls[pkg[:purl]]
+
+            seen_purls[pkg[:purl]] = true
+          end
+
+          @result.add_package(pkg)
+        end
+      end
+    end
+
+    def merge_files
+      @sboms.each do |sbom|
+        sbom.files.each do |file|
+          @result.add_file(file)
+        end
+      end
+    end
+
+    def merge_relationships
+      seen = Set.new
+
+      @sboms.each do |sbom|
+        sbom.relationships.each do |rel|
+          key = [rel[:source], rel[:type], rel[:target]]
+          next if seen.include?(key)
+
+          seen.add(key)
+          @result.add_relationship(rel)
+        end
+      end
+    end
+
+    def merge_licenses
+      seen = Set.new
+
+      @sboms.each do |sbom|
+        sbom.licenses.each do |lic|
+          next if seen.include?(lic)
+
+          seen.add(lic)
+          @result.add_license(lic)
+        end
+      end
+    end
+
+    def merge_annotations
+      @sboms.each do |sbom|
+        sbom.annotations.each do |ann|
+          @result.add_annotation(ann)
+        end
+      end
+    end
+
+    class << self
+      def merge(sboms, dedupe: :purl)
+        new(sboms, dedupe: dedupe).merge
+      end
+
+      def merge_files(filenames, dedupe: :purl)
+        sboms = filenames.map { |f| Parser.parse_file(f) }
+        merge(sboms, dedupe: dedupe)
+      end
+    end
+  end
+end

data/lib/sbom/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sbom
-  VERSION = "0.1.0"
+  VERSION = "0.3.0"
 end

data/lib/sbom.rb

@@ -32,6 +32,8 @@ require_relative "sbom/generator"
 require_relative "sbom/validation_result"
 require_relative "sbom/validator"
 require_relative "sbom/output"
+require_relative "sbom/enricher"
+require_relative "sbom/merger"
 
 module Sbom
   class << self
@@ -50,5 +52,22 @@ module Sbom
     def validate_file(filename, sbom_type: :auto)
       Validator.validate_file(filename, sbom_type: sbom_type)
     end
+
+    def enrich(sbom)
+      Enricher.enrich(sbom)
+    end
+
+    def enrich_file(filename, sbom_type: :auto)
+      sbom = parse_file(filename, sbom_type: sbom_type)
+      Enricher.enrich(sbom)
+    end
+
+    def merge(sboms, dedupe: :purl)
+      Merger.merge(sboms, dedupe: dedupe)
+    end
+
+    def merge_files(filenames, dedupe: :purl)
+      Merger.merge_files(filenames, dedupe: dedupe)
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sbom
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -63,8 +63,11 @@ files:
 - ".gitmodules"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
+- LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
 - exe/sbom
 - lib/sbom.rb
 - lib/sbom/cyclonedx/generator.rb
@@ -74,10 +77,12 @@ files:
 - lib/sbom/data/package.rb
 - lib/sbom/data/relationship.rb
 - lib/sbom/data/sbom.rb
+- lib/sbom/enricher.rb
 - lib/sbom/error.rb
 - lib/sbom/generator.rb
 - lib/sbom/license/data/spdx_licenses.json
 - lib/sbom/license/scanner.rb
+- lib/sbom/merger.rb
 - lib/sbom/output.rb
 - lib/sbom/parser.rb
 - lib/sbom/spdx/generator.rb