sbom 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a22cb6e2f3394ccd7abb7e8a28d7282f11e4a9277cf1451dca16060d00ceb0f6
-  data.tar.gz: aaf00ea47acdb68969fb20a638a9300849fe363c1d7e8dfeb1955405d6a9d570
+  metadata.gz: b296a99b1a2ba980aedaa542532fd88bdea816209af3a2be1999a6e4305d0167
+  data.tar.gz: 1e9a7c1e385a4ec311baac0ea055453631d559e76ab4bab67e34cfcf3166f536
 SHA512:
-  metadata.gz: 8151a326269d029319b4dcb69bd61edcf6ef5745a673cda96464bb91afa2103aa5896d4c8e315951e54ac605b031582af3bd1eae0eb2d7f7b673cd4afc8999df
-  data.tar.gz: 6c47ebcbbdeef79496348fdde56280b90ac6e90bec8e52cded836d95415fa1ec0b8b2ad3874992d3bd7ca9e928114e57cabc1a72d7525e1923faf94db3273d07
+  metadata.gz: 60e7f56853ad7c7874b3d1b073c06ccbf6a455985ce86b10fba011273d0491a798a6067e866f3d399a2317150128aa035b05dbcae9b53979652fb56e3f924f73
+  data.tar.gz: 4f35f84db7c6d1dfe219e73cc7ecdefd14f701ce5fd091c504318ba7bad4c036b18dc04a17a375ecf6b0ee396a5bbf590c30d4f4d71b96812a375da54d3a84f8

data/.ruby-version

@@ -0,0 +1 @@
+4.0.0

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 ## [Unreleased]
 
+## [0.4.0] - 2026-01-08
+
+- Add CycloneDX vulnerabilities array support to generator
+
+## [0.3.0] - 2025-12-23
+
+- Add `merge` command to CLI for combining multiple SBOMs into one
+- Add `Sbom.merge` and `Sbom.merge_files` library methods
+- Add `Sbom::Merger` class for merging SBOMs with configurable deduplication
+- Merge deduplicates packages by PURL by default, with option to keep all
+- Supports merging across formats (SPDX + CycloneDX)
+
 ## [0.2.0] - 2025-12-14
 
 - Add `enrich` command to CLI for enriching SBOMs with data from ecosyste.ms

data/README.md

@@ -52,6 +52,24 @@ puts generator.output
 generator = Sbom::Generator.new(sbom_type: :cyclonedx)
 generator.generate("MyProject", sbom_data)
 File.write("sbom.cdx.json", generator.output)
+
+# Generate CycloneDX with vulnerabilities
+data = {
+  packages: packages_data,
+  vulnerabilities: [
+    {
+      id: "CVE-2024-1234",
+      source: { name: "OSV", url: "https://osv.dev" },
+      ratings: [{ severity: "high", score: 8.1, method: "CVSSv31" }],
+      description: "A critical vulnerability",
+      affects: [{ ref: "pkg:npm/lodash@4.17.20" }],
+      published: "2024-01-15T00:00:00Z",
+      updated: "2024-01-20T12:00:00Z"
+    }
+  ]
+}
+generator = Sbom::Generator.new(sbom_type: :cyclonedx)
+generator.generate("MyProject", data)
 ```
 
 ### Validating SBOMs
@@ -85,6 +103,23 @@ enriched = Sbom.enrich_file("example.cdx.json")
 
 Enrichment adds: description, homepage, download location, license, repository URL, registry URL, documentation URL, supplier info, and security advisories.
 
+### Merging SBOMs
+
+Combine multiple SBOMs into one:
+
+```ruby
+# Merge from files (dedupes by PURL by default)
+merged = Sbom.merge_files(["app1.cdx.json", "app2.spdx.json"])
+
+# Merge SBOM objects
+merged = Sbom.merge([sbom1, sbom2, sbom3])
+
+# Keep all packages without deduplication
+merged = Sbom.merge([sbom1, sbom2], dedupe: :none)
+```
+
+Merging works across formats. Packages are deduplicated by PURL by default. Relationships and licenses are also deduplicated.
+
 ### Building Packages
 
 The Package class provides an object interface for building package data:
@@ -139,6 +174,11 @@ sbom document query example.cdx.json --license MIT
 sbom enrich example.cdx.json
 sbom enrich example.cdx.json --output enriched.json
 cat example.cdx.json | sbom enrich -
+
+# Merge multiple SBOMs
+sbom merge app1.cdx.json app2.spdx.json --output merged.json
+sbom merge app1.json app2.json --no-dedupe
+sbom merge app1.json app2.json --type cyclonedx
 ```
 
 ## Supported Formats

data/exe/sbom

@@ -27,6 +27,8 @@ module Sbom
         convert_command
       when "enrich"
         enrich_command
+      when "merge"
+        merge_command
       when "document"
         document_command
       when "version", "-v", "--version"
@@ -205,6 +207,40 @@ module Sbom
       abort "Error: #{e.message}"
     end
 
+    def merge_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom merge <file1> <file2> [file3...] [options]"
+        opts.on("-t", "--type TYPE", "Output SBOM type (spdx, cyclonedx)") { |v| @options[:type] = v.to_sym }
+        opts.on("-f", "--format FORMAT", "Output format (json, yaml, tag)") { |v| @options[:format] = v.to_sym }
+        opts.on("-o", "--output FILE", "Output file") { |v| @options[:output] = v }
+        opts.on("--no-dedupe", "Keep all packages (don't dedupe by PURL)") { @options[:dedupe] = :none }
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      abort "Error: At least 2 files required" if @args.size < 2
+
+      dedupe = @options[:dedupe] || :purl
+      merged = Sbom::Merger.merge_files(@args, dedupe: dedupe)
+
+      output_type = @options[:type] || merged.sbom_type || :spdx
+      output_format = @options[:format] || :json
+
+      generator = Sbom::Generator.new(sbom_type: output_type, format: output_format)
+      generator.generate(merged.document&.dig(:name) || "Merged SBOM", merged.to_h)
+
+      output = generator.output
+
+      if @options[:output]
+        File.write(@options[:output], output)
+        puts "Merged SBOM written to #{@options[:output]}"
+      else
+        puts output
+      end
+    rescue Sbom::ParserError, Sbom::GeneratorError => e
+      abort "Error: #{e.message}"
+    end
+
     def document_command
       subcommand = @args.shift
 
@@ -377,6 +413,7 @@ module Sbom
           validate   Validate SBOM against schema
           convert    Convert between SBOM formats
           enrich     Enrich SBOM with data from ecosyste.ms
+          merge      Combine multiple SBOMs into one
           document   Work with SBOM documents
           version    Show version
 

data/lib/sbom/cyclonedx/generator.rb

@@ -24,6 +24,7 @@ module Sbom
         @output = {}
         @components = []
         @dependencies = []
+        @vulnerabilities = []
         @element_refs = {}
       end
 
@@ -41,6 +42,7 @@ module Sbom
         generate_document_header(project_name, component_data, uuid, bom_version)
         generate_components(data[:packages])
         generate_dependencies(data[:relationships])
+        generate_vulnerabilities(data[:vulnerabilities])
 
         finalize_output
       end
@@ -234,9 +236,54 @@ module Sbom
         end
       end
 
+      def generate_vulnerabilities(vulnerabilities_data)
+        return unless vulnerabilities_data&.any?
+
+        vulnerabilities_data.each do |vuln|
+          generate_vulnerability(vuln)
+        end
+      end
+
+      def generate_vulnerability(vuln)
+        return unless vuln[:id]
+
+        vulnerability = { "id" => vuln[:id] }
+
+        if vuln[:source]
+          source = {}
+          source["name"] = vuln[:source][:name] if vuln[:source][:name]
+          source["url"] = vuln[:source][:url] if vuln[:source][:url]
+          vulnerability["source"] = source if source.any?
+        end
+
+        if vuln[:ratings]&.any?
+          vulnerability["ratings"] = vuln[:ratings].map do |rating|
+            r = {}
+            r["severity"] = rating[:severity] if rating[:severity]
+            r["score"] = rating[:score] if rating[:score]
+            r["method"] = rating[:method] if rating[:method]
+            r
+          end.reject(&:empty?)
+        end
+
+        vulnerability["description"] = vuln[:description] if vuln[:description]
+
+        if vuln[:affects]&.any?
+          vulnerability["affects"] = vuln[:affects].map do |affect|
+            { "ref" => affect[:ref] }
+          end
+        end
+
+        vulnerability["published"] = vuln[:published] if vuln[:published]
+        vulnerability["updated"] = vuln[:updated] if vuln[:updated]
+
+        @vulnerabilities << vulnerability
+      end
+
       def finalize_output
         @output["components"] = @components if @components.any?
         @output["dependencies"] = @dependencies if @dependencies.any?
+        @output["vulnerabilities"] = @vulnerabilities if @vulnerabilities.any?
       end
 
       def version_at_least?(version)

data/lib/sbom/merger.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+module Sbom
+  class Merger
+    attr_reader :sboms, :options, :result
+
+    def initialize(sboms, dedupe: :purl)
+      @sboms = sboms
+      @options = { dedupe: dedupe }
+      @result = nil
+    end
+
+    def merge
+      @result = Data::Sbom.new(sbom_type: determine_sbom_type)
+      @result.version = determine_version
+
+      build_document
+      merge_packages
+      merge_files
+      merge_relationships
+      merge_licenses
+      merge_annotations
+
+      @result
+    end
+
+    def determine_sbom_type
+      types = @sboms.map(&:sbom_type).uniq
+      return types.first if types.size == 1
+
+      :spdx
+    end
+
+    def determine_version
+      versions = @sboms.map(&:version).compact.uniq
+      versions.first
+    end
+
+    def build_document
+      names = @sboms.map { |s| s.document&.dig(:name) }.compact
+      merged_name = names.any? ? "Merged: #{names.join(', ')}" : "Merged SBOM"
+
+      @result.document = {
+        name: merged_name,
+        id: "SPDXRef-DOCUMENT",
+        created: Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+      }
+    end
+
+    def merge_packages
+      seen_purls = {}
+
+      @sboms.each do |sbom|
+        sbom.packages.each do |pkg|
+          if @options[:dedupe] == :purl && pkg[:purl]
+            next if seen_purls[pkg[:purl]]
+
+            seen_purls[pkg[:purl]] = true
+          end
+
+          @result.add_package(pkg)
+        end
+      end
+    end
+
+    def merge_files
+      @sboms.each do |sbom|
+        sbom.files.each do |file|
+          @result.add_file(file)
+        end
+      end
+    end
+
+    def merge_relationships
+      seen = Set.new
+
+      @sboms.each do |sbom|
+        sbom.relationships.each do |rel|
+          key = [rel[:source], rel[:type], rel[:target]]
+          next if seen.include?(key)
+
+          seen.add(key)
+          @result.add_relationship(rel)
+        end
+      end
+    end
+
+    def merge_licenses
+      seen = Set.new
+
+      @sboms.each do |sbom|
+        sbom.licenses.each do |lic|
+          next if seen.include?(lic)
+
+          seen.add(lic)
+          @result.add_license(lic)
+        end
+      end
+    end
+
+    def merge_annotations
+      @sboms.each do |sbom|
+        sbom.annotations.each do |ann|
+          @result.add_annotation(ann)
+        end
+      end
+    end
+
+    class << self
+      def merge(sboms, dedupe: :purl)
+        new(sboms, dedupe: dedupe).merge
+      end
+
+      def merge_files(filenames, dedupe: :purl)
+        sboms = filenames.map { |f| Parser.parse_file(f) }
+        merge(sboms, dedupe: dedupe)
+      end
+    end
+  end
+end

data/lib/sbom/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sbom
-  VERSION = "0.2.0"
+  VERSION = "0.4.0"
 end

data/lib/sbom.rb

@@ -33,6 +33,7 @@ require_relative "sbom/validation_result"
 require_relative "sbom/validator"
 require_relative "sbom/output"
 require_relative "sbom/enricher"
+require_relative "sbom/merger"
 
 module Sbom
   class << self
@@ -60,5 +61,13 @@ module Sbom
       sbom = parse_file(filename, sbom_type: sbom_type)
       Enricher.enrich(sbom)
     end
+
+    def merge(sboms, dedupe: :purl)
+      Merger.merge(sboms, dedupe: dedupe)
+    end
+
+    def merge_files(filenames, dedupe: :purl)
+      Merger.merge_files(filenames, dedupe: dedupe)
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sbom
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -61,6 +61,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitmodules"
+- ".ruby-version"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
@@ -82,6 +83,7 @@ files:
 - lib/sbom/generator.rb
 - lib/sbom/license/data/spdx_licenses.json
 - lib/sbom/license/scanner.rb
+- lib/sbom/merger.rb
 - lib/sbom/output.rb
 - lib/sbom/parser.rb
 - lib/sbom/spdx/generator.rb
@@ -112,7 +114,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.1
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Parse, generate, and validate Software Bill of Materials (SBOM)
 test_files: []