Re: SPDX Merging #spdx
Just made the sbom-composer tool public. It’s been only run with sboms that I generated, so would be very happy to hear your feedback and do any following updates if necessary.
Joe, it does the merge based on these guidelines. As an example these two sboms result in this composed.spdx. Shortly, it just appends the data without the document creation information, allows the latter to be configurable and updates the references. Would be happy to hear your feedback if any.
Open Source Engineer
VMware Open Source Program Office
spdx@... <spdx@...> on behalf of Joe Bussell via lists.spdx.org <joe.bussell=microsoft.com@...>
Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?
From: spdx@... <spdx@...>
On Behalf Of Gary O'Neall via lists.spdx.org
I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pull request.