search

cubes-stackedsbomasm

sbomasm is a comprehensive SBOM management toolkit for assembling, editing, enriching, viewing, and cryptographically signing SBOMs. It supports both SPDX and CycloneDX formats and handles operations that span multiple SBOMs — merging microservice SBOMs into a platform-wide view, enriching components with license data, editing metadata for compliance, and signing SBOMs for integrity verification.

Repository: github.com/interlynk-io/sbomasmarrow-up-right

hashtag
Use Cases

Operation
When to Use

Assemble (merge)

Combine SBOMs from multiple services, containers, or modules into one

Edit

Update metadata (supplier, author, version) before distribution

Enrich

Fill missing license information from ClearlyDefined

Remove

Strip components or fields before sharing externally

View

Inspect SBOM structure and dependencies

Sign / Verify

Establish authenticity and detect tampering

hashtag
Installation

hashtag
Homebrew (macOS/Linux)

brew tap interlynk-io/interlynk
brew install sbomasm

hashtag
Go Install

hashtag
Pre-Built Binaries

Download from the GitHub releases pagearrow-up-right for Linux (amd64, arm64), macOS (amd64, arm64), and Windows (amd64).

hashtag
Docker

hashtag
Build from Source

hashtag
Verify Installation

hashtag
Core Operations

hashtag
Assemble (Merge SBOMs)

Combine multiple SBOMs into a single document. Four merge strategies are available:

Strategy
Flag
Behavior

Hierarchical

--hierMerge (default)

Preserves component structure; nests input SBOMs under a new root

Flat

--flatMerge

Removes relationships; flattens all components to the same level

Assembly

--assemblyMerge

Treats each SBOM independently without linking to primary

Augment

--augmentMerge

Enriches a primary SBOM with data from others; no new root created

hashtag
Hierarchical Merge (Default)

hashtag
Flat Merge

hashtag
Assembly Merge

hashtag
Augment Merge

Enrich an existing SBOM with components from other SBOMs without changing the root structure:

Merge modes for augment:

  • if-missing-or-empty (default) — only fills in empty or missing fields

  • overwrite — replaces existing values

hashtag
Output Format Control

hashtag
Configuration-Driven Assembly

Generate a configuration template:

Example configuration file (assemble-config.yaml):

Run with configuration:

hashtag
Assemble Parameters

Parameter
Short
Required
Default
Description

--name

-n

Yes (non-augment)

Name for assembled SBOM

--version

-v

Yes (non-augment)

Version for assembled SBOM

--output

-o

No

stdout

Output file path

--type

-t

No

application

Component type

--configPath

-c

No

YAML configuration file

--hierMerge

-m

No

Default

Hierarchical merge

--flatMerge

-f

No

Flat merge

--assemblyMerge

-a

No

Assembly merge

--augmentMerge

No

Augment merge

--primary

-p

Augment only

Primary SBOM file

--merge-mode

No

if-missing-or-empty

Merge mode for augment

--outputSpecCdx

-g

No

Default

CycloneDX output

--outputSpecSpdx

-s

No

SPDX output

--outputSpecVersion

-e

No

Latest

Spec version

--xml

-x

No

XML output

--json

-j

No

Default

JSON output

Component type values: application, framework, library, container, device, firmware

hashtag
Edit SBOM Metadata

Modify metadata on the SBOM document, primary component, or specific components.

hashtag
Edit Document Metadata

hashtag
Edit Primary Component

hashtag
Edit a Specific Component

hashtag
Edit Modes

Flag
Behavior

(default)

Overwrite existing values

--append

Add to existing values (e.g., additional licenses)

--missing

Only set if the field is currently empty

hashtag
Editable Fields

Field
Flag
Format

Name

--name

String

Version

--version

String

Type

--type

Component type value

Supplier

--supplier

"Name (url)"

Author

--author

String (repeatable)

PURL

--purl

Package URL

CPE

--cpe

CPE identifier

License

--license

SPDX expression (repeatable)

Hash

--hash

"Algorithm (value)" (repeatable)

Tool

--tool

"Name (version)" (repeatable)

Copyright

--copyright

String

Lifecycle

--lifecycle

Phase name (repeatable)

Description

--description

String

Repository

--repository

URL

Timestamp

--timestamp

Flag — adds current time

hashtag
Enrich SBOMs

Fill missing license information using the ClearlyDefined API.

Parameter
Short
Default
Description

--fields

Fields to enrich (currently: license)

--output

-o

stdout

Output file

--force

-f

Off

Replace existing values

--max-retries

-r

2

API retry attempts

--max-wait

-w

5

Max wait time (seconds)

--license-exp-join

-j

OR

License expression operator: OR, AND, WITH

--chunk-size

-c

100

Batch size for API requests

The enrichment process reports:

  • Total components

  • Components selected for enrichment

  • Successfully enriched count

  • Skipped count

  • Failed count

hashtag
Remove Components or Fields

Strip components or metadata before external distribution.

hashtag
View SBOM Structure

Inspect SBOM contents without modifying the file.

hashtag
Sign and Verify SBOMs

Cryptographically sign SBOMs for integrity verification using the SecureSBOM service.

hashtag
Sign

For SPDX (detached signature):

hashtag
Verify

Parameter
Default
Description

--key-id

Signing key ID (required)

--api-key

$SECURE_SBOM_API_KEY

API key for SecureSBOM service

--base-url

Default service URL

Custom SecureSBOM endpoint

--output

stdout

Output file

--detached

Off

Return detached signature (SPDX)

--timeout

30s

Request timeout

--retry

3

Retry attempts

hashtag
Supported Formats

hashtag
Input

Spec
Versions
File Formats

SPDX

2.1, 2.2, 2.3

JSON, XML, Tag-Value

CycloneDX

1.0 – 1.6

JSON, XML

hashtag
Output

Spec
Default Version
File Formats

SPDX

2.3

JSON

CycloneDX

1.6

JSON, XML

Formats are auto-detected on input. Cross-format assembly (mixing SPDX and CycloneDX inputs) is supported — the output format is determined by flags.

hashtag
Advanced Usage

hashtag
Multi-Module Builds

For projects with multiple build modules (e.g., microservices, monorepos):

hashtag
Large SBOM Handling

For SBOMs with thousands of components:

  • Batch assembly: Assemble in stages — merge groups of SBOMs first, then merge the results.

  • Enrichment chunking: Use --chunk-size 50 to reduce memory usage during license enrichment.

  • View depth limiting: Use --max-depth 2 and --hide-islands for readable output.

  • JSON output: Use --format json for machine processing rather than tree rendering.

hashtag
Dependency-Track Integration

Fetch SBOMs directly from Dependency-Track, assemble, and optionally upload back:

hashtag
CI/CD Pipeline Example

hashtag
Error Handling

hashtag
Common Errors

Error
Cause
Resolution

file not found

Invalid input path

Verify file path; use absolute paths in Docker

unsupported format

Unrecognized SBOM format

Ensure input is valid CycloneDX or SPDX

name and version required

Missing --name or --version

Provide both for non-augment assembly

primary file required

Augment merge without --primary

Specify --primary with augment merge

invalid reference

Dependency references nonexistent component

Fix the source SBOM; ensure all referenced components exist

ClearlyDefined API timeout

Network or rate limiting

Increase --max-wait and --max-retries

Signing service unavailable

SecureSBOM API down

Check service status; increase --timeout

hashtag
Debug Mode

Enable debug logging globally:

Debug output includes processing flow details, component matching decisions, deduplication results, and API request/response information.

hashtag
Best Practices

hashtag
Assembly

  • Use hierarchical merge for platform-level SBOMs where component provenance matters.

  • Use flat merge when downstream consumers need a simple component list.

  • Use augment merge to enrich vendor-provided SBOMs without altering their structure.

  • Include --type to set the correct component type (application, container, library).

  • Store assembly configuration in version control alongside your build scripts.

hashtag
Editing

  • Use --missing mode to fill gaps without overwriting vendor-provided metadata.

  • Use --append to add supplementary licenses or authors without removing existing ones.

  • Edit the document subject to set creation tool and timestamp metadata before distribution.

hashtag
Enrichment

  • Run enrichment after assembly to process all components in one pass.

  • Use --license-exp-join AND for conservative license interpretation in regulated environments.

  • Review enrichment reports — failed components may need manual attention.

hashtag
Security

  • Sign SBOMs before distributing to external parties.

  • Verify received SBOMs before importing into your supply chain management system.

  • Store signing API keys in a secrets manager; never commit to source control.

  • Strip internal components (sbomasm rm) before sharing SBOMs externally.

hashtag
Common Misconfigurations

Issue
Symptom
Fix

Missing --name and --version on assemble

Error at startup

Always provide both unless using augment merge

Mixing formats without output spec flag

Unexpected output format

Explicitly set --outputSpecCdx or --outputSpecSpdx

Augment without --primary

Error requiring primary file

Specify the base SBOM with --primary

Large enrichment without --chunk-size

Timeouts or high memory usage

Set --chunk-size 50 for SBOMs with 1000+ components

Signing without SECURE_SBOM_API_KEY

Authentication error

Set the environment variable or use --api-key

Editing with default overwrite mode

Vendor metadata lost

Use --missing or --append to preserve existing data

PrevioussbomqsNextFor Management

Last updated