Hi, Just made the sbom-composer<https://github.com/vmware-samples/sbom-composer> tool public. It’s been only run with sboms that I generated, so would be very happy to hear your feedback and do any following updates if necessary.
Joe, it does the merge based on these guidelines<https://github.com/vmware-samples/sbom-composer/blob/main/example_data/composing-guidelines.md>. As an example these two<https://github.com/vmware-samples/sbom-composer/tree/main/example_data/micro_sboms> sboms result in this composed.spdx<https://github.com/vmware-samples/sbom-composer/blob/main/example_data/composed.spdx>. Shortly, it just appends the data without the document creation information, allows the latter to be configurable and updates the references. Would be happy to hear your feedback if any. Best, Ivana --- Ivana Atanasova Open Source Engineer VMware Open Source Program Office From: [email protected] <[email protected]> on behalf of Joe Bussell via lists.spdx.org <[email protected]> Date: Tuesday, 9 August 2022, 20:09 To: [email protected] <[email protected]> Subject: Re: [spdx] SPDX Merging #spdx ⚠ External Email Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain? From: [email protected] <[email protected]> On Behalf Of Gary O'Neall via lists.spdx.org Sent: Monday, August 8, 2022 10:07 AM To: [email protected] Subject: [EXTERNAL] Re: [spdx] SPDX Merging #spdx I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fspdx%2Ftools-java%2Fissues%2F62&data=05%7C01%7Ciyovcheva%40vmware.com%7C5542b6447f704060a83508da7a29e6ed%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637956617636734879%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ETPzWQ14PIKepaWzz9vEqSlB2QhoErrRW2w%2FOvYBoJs%3D&reserved=0> – any java programmers out there who would like to volunteer a solution is welcome to create a pull request. Regards, Gary From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Patil, Sandeep via lists.spdx.org Sent: Monday, August 8, 2022 4:07 AM To: [email protected]<mailto:[email protected]> Subject: [spdx] SPDX Merging #spdx Hi All, Is there any tool to merge two spdx file ? Regards Sandeep ________________________________ ⚠ External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1587): https://lists.spdx.org/g/spdx/message/1587 Mute This Topic: https://lists.spdx.org/mt/92889347/21656 Mute #spdx:https://lists.spdx.org/g/spdx/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
