tools-java icon indicating copy to clipboard operation
tools-java copied to clipboard

Published 20 hours ago verified publisher icon spdx

Merging two reports together

Open Jeeppler opened this issue 2 years ago • 4 comments

Is this tool able to merge to reports together. For example, Report-A.spdx and Report-B.spdx`?

Jeeppler avatar Jun 23 '22 16:06 Jeeppler

@Jeeppler Not currently. It wouldn't be too difficult to create the feature, but I probably won't have time to work on it until after the SPDX 2.3 release changes are complete.

If you and Java experience and want to contribute changes to support this functionality, I can give you some pointers to get you started.

goneall avatar Jun 23 '22 21:06 goneall

I am not sure how it will work. If you have two SBoM from different components , each will have their own headers ( Document Creation section in SPDX specification) , I am not sure if SPDX specification gives options to keep headers for two components ?

spatil00 avatar Aug 09 '22 04:08 spatil00

@spatil00 I was thinking you could create a new SPDX document with it's own document creation section but include relationships from the new documents to the old documents. You could create External Document References for the 2 original docs. A relationship type DESCENDANT_OF and/or AMENDS could be used to describe the new SPDX document is derived from the 2 original documents. A relationship type of COPY_OF could be used to refer back to the original package/file/snippets from the original package if you want to make the entire operation traceable.

goneall avatar Aug 09 '22 05:08 goneall

@Jeeppler check out https://github.com/vmware-samples/sbom-composer for combining SPDX docs. This is in the process of being moved under the OpenSSF.

rnjudge avatar Mar 20 '23 22:03 rnjudge