A simple library and CLI tool to create an aggregated notice for one or more SBOMs (SPDX or CycloneDX).
Usage: sbomattr [OPTIONS] <file-or-directory>...
Create an aggregated notice for one or more SBOMs.
Arguments:
file-or-directory SBOM files or directories containing SBOM files
Options:
-v Verbose output (debug mode)
-version
Show version and exit
Provide clear attribution for software dependencies in a simple, verifiable format.
When distributing software (especially closed source), you could want to aggregate license information from multiple SBOMs into a single notice file. This tool does one thing well: combine SBOMs into unified attribution notices.
The URL field is the quickest way to validate the package information for people who don't care about
the purl specification.
Canonical sources are preferred, but if one can't be identified, the purl will be used to generate a URL.
Note
If accuracy is important, you should enrich the SBOM with canonical URL fields before using this tool. URL generation is best-effort and may not be accurate.
SPDX SBOM will try and use the homepage field if it is present and not NOASSERTION/NONE.
The downloadLocation field is not used because it's often a tarball.
CycloneDX SBOM will use the following externalReferences priority order to generate a URL:
websitedistributiondocumentationvcs
- SPDX 2.3 (JSON)
- CycloneDX 1.4 (JSON)
- GitHub-wrapped SBOMs (JSON)