This repository contains tools for using SBOMs with ClearlyDefined
go install github.com/jeffmendoza/cdsbom@latestMake sure $GOBIN is in your path.
$GOBINdefaults to$GOPATH/bin$GOPATHdefaults to$HOME/goon Unix and%USERPROFILE%\goon Windows
Example:
cdsbom -min-score 50 -out enhanced-sbom.json input-sbom.jsonThis will read input-sbom.json and query ClearlyDefined for License
information. The License fields in the SBOM will be replaced to use the license
data returned from ClearlyDefined (with the Clearly Defined effective score greater than or equal to the min-score).
A new sbom will be written to enhanced-sbom.json with the updated fields in the same format as the input sbom.
Supported formats are the same as Protobom.
go install github.com/jeffmendoza/cdsbom/sbomnotice@latestMake sure $GOBIN is in your path.
$GOBINdefaults to$GOPATH/bin$GOPATHdefaults to$HOME/goon Unix and%USERPROFILE%\goon Windows
Example:
sbomnotice -out NOTICE input-sbom.jsonThis will read input-sbom.json and parse all the dependencies found. Then
query ClearlyDefined for a NOTICE file with all dependencies from the SBOM. The
file contents will be written to the provided output file name, or NOTICE if
not specified.
Supported formats are the same as Protobom.
go install github.com/jeffmendoza/cdsbom/sbomcoords@latestMake sure $GOBIN is in your path.
$GOBINdefaults to$GOPATH/bin$GOPATHdefaults to$HOME/goon Unix and%USERPROFILE%\goon Windows
Example:
sbomcoords -out coords.json input-sbom.jsonThis will read input-sbom.json and parse all the dependencies found, looking
for PURL identifiers. These PURLs will be converted to ClearlyDefined
Coordinates
and de-duplicated. The output file coords.json will be a json array of
Coordinates.
Supported formats are the same as Protobom.
This project is possible due to Protobom for SBOM parsing, and GUAC sw-id-core to convert PURL to ClearlyDefined Coordinates.