cyclonedx-cli
cyclonedx-cli copied to clipboard
CycloneDX
CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
Looks like there is missed support of license id ` BSD-3-Clause-Modification` that presents in cyclonedx spec 1.4 https://github.com/CycloneDX/specification/blob/1.4/schema/spdx.schema.json#L57 Enviroment: ``` ./cyclonedx-linux-x64 --version 0.24.0 lsb_release -a No LSB modules are available....
[hello.spdx.json.txt](https://github.com/CycloneDX/cyclonedx-cli/files/14908606/hello.spdx.json.txt) [hello.cdx.json.txt](https://github.com/CycloneDX/cyclonedx-cli/files/14908607/hello.cdx.json.txt) Convert ```hello.spdx.json```from SPDX to CycloneDX: ``` cyclonedx convert --input-file hello.spdx.json --input-format autodetect --output-file hello.cdx.json --output-format json ``` Try to convert the result back to SPDX: ``` cyclonedx convert...
Converting json SBOM to xml produces invalid SBOM when there is a component with multiple licenses
I have an SBOM for a C# application generated by the `dotnet cyclonedx tool`. One the components has the following schema: ```json { "type": "library", "bom-ref": "pkg:nuget/[email protected]", "author": "Josh Close",...
This is the error the tool throws trying to convert from one format to other. `The JSON value could not be converted to CycloneDX.Spdx.Models.v2_2.ExternalRefCategory. Path: $.packages[0].externalRefs[0].referenceCategory` The SPDX file contains...
Input file: [buginput.json](https://github.com/CycloneDX/cyclonedx-cli/files/14758685/buginput.json) Passing the attached SBOM through cyclonedx-cli results in an invalid JSON: ```console $ cyclonedx --version 0.25.0 $ # it's valid $ cyclonedx validate --input-file buginput.json BOM validated...
When using version 0.25.0 in Azure DevOps (with CycloneDX version 1.5) and trying to merge an SBOM from cdxgen (using version 10.1.0) from https://github.com/CycloneDX/cdxgen that contains "evidence", the JSON SBOM...
SBOM validate command shows an invalid license id for "TTWL", but is listed as a valid license id in CycloneDX specifications [Reff [https://cyclonedx.org/docs/1.5/json/#components_items_licenses_oneOf_i0_items_license_id](https://cyclonedx.org/docs/1.5/json/#components_items_licenses_oneOf_i0_items_license_id)].
I have a Gradle multi-project build, in which i generate an SBOM for java dependencies for each project using the [CycloneDX Gradle](https://github.com/CycloneDX/cyclonedx-gradle-plugin) plugin. I want to merge all the existing...
Merging SBOMs seems to default to the output file being version 1.5, regardless of the input file versions. See for example `test1.txt` and `test2.txt` attached. Both v1.4, created with the...
Curently a conversion from spdx to cyclonedx creates purl references in cycloneDX like so: "properties": [ { "name": "spdx:external-reference:package-manager:purl", "value": "pkg:whatever" }, ... The "eternal-reference" type purl (and probably cpe...
