cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

cyclonedx merge defaults to specVersion 1.5 even when merging two v1.4 files

Open aja08379 opened this issue 1 year ago • 5 comments

Merging SBOMs seems to default to the output file being version 1.5, regardless of the input file versions. See for example test1.txt and test2.txt attached. Both v1.4, created with the snyk sbom CLI command.

Command used to merge them is:

cyclonedx merge --input-files test1.txt test2.txt --output-file new.txt --input-format json --output-format json --name "Test" --version "v0.0"

The output SBOM new.txt is v1.5 (also attached):

user@ubuntu2004:~$ cat test1.txt | jq
{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",

user@ubuntu2004:~$ cat test2.txt | jq
{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",

ash@ubuntu2004:~$ cat new.txt | jq
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",

new.txt test1.txt test2.txt

aja08379 avatar Nov 06 '23 15:11 aja08379

We are also facing similar issue. Is there any fix coming up soon?

Parisha7 avatar Dec 04 '23 06:12 Parisha7

When can we expect the fix please ?

saloni410 avatar Jan 18 '24 09:01 saloni410

I think the intended behavior is to produce SBOMs of the latest version. However, you can use "--output-version v1_4" to force it to produce an SBOM of version 1.4.

andreas-hilti avatar May 18 '24 15:05 andreas-hilti

Hello @andreas-hilti ,

We are encountering an issue with the CycloneDX merge command. When merging two SBOMs with spec version v1.4, the resulting SBOM is in spec version v1.5.

Is this the expected behavior of the merge command?

Additionally, it appears that the merge command does not support an --output-version flag, as confirmed by the documentation, so we cannot explicitly specify the output spec version.

anubhav-tyagi1 avatar May 20 '24 05:05 anubhav-tyagi1

Hello @andreas-hilti ,

We are encountering an issue with the CycloneDX merge command. When merging two SBOMs with spec version v1.4, the resulting SBOM is in spec version v1.5.

Is this the expected behavior of the merge command?

Additionally, it appears that the merge command does not support an --output-version flag, as confirmed by the documentation, so we cannot explicitly specify the output spec version.

Yes, you are right, it is currently not supported. You can review: https://github.com/CycloneDX/cyclonedx-cli/pull/366

What you can do already now is this (merge followed by convert):

cyclonedx.exe merge --input-files sbom1.json sbom2.json --output-file sbom_combined.json
cyclonedx.exe convert --input-file sbom_combined.json --output-file sbom_combined_conv.json --output-version v1_4

andreas-hilti avatar May 20 '24 09:05 andreas-hilti

With release 0.26.0 you can now specify the output format version using --output-version.

andreas-hilti avatar Aug 17 '24 08:08 andreas-hilti