feat: compare SBOMs and show components only present in target SBOM

Signed-off-by: badrikesh prusty <[email protected]>

Author: baprusty

src/debsbom/cli.py

@@ -18,6 +18,7 @@
 from .commands.source_merge import SourceMergeCmd
 from .commands.repack import RepackCmd
 from .commands.export import ExportCmd
+from .commands.compare import CompareCmd
 
 # Attempt to import optional download dependencies to check their availability.
 # The success or failure of these imports determines if download features are enabled.
@@ -64,6 +65,7 @@ def setup_parser():
     )
     RepackCmd.setup_parser(subparser.add_parser("repack", help="repack sources and sbom"))
     ExportCmd.setup_parser(subparser.add_parser("export", help="export SBOM as graph"))
+    CompareCmd.setup_parser(subparser.add_parser("compare", help="compare SBOMs and list new components"))
 
     return parser
 
@@ -97,6 +99,8 @@ def main():
             ExportCmd.run(args)
         elif args.cmd == "merge":
             MergeCmd.run(args)
+        elif args.cmd == "compare":
+            CompareCmd.run(args)
     except DistroArchUnknownError as e:
         logger.error(f"debsbom: error: {e}. Set --distro-arch to dpkg architecture (e.g. amd64)")
         sys.exit(-2)

src/debsbom/commands/compare.py

@@ -0,0 +1,113 @@
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+import logging
+import json
+from pathlib import Path
+import sys
+
+from ..bomreader.cdxbomreader import CdxBomReader
+from ..bomreader.spdxbomreader import SpdxBomReader
+from ..bomwriter import BomWriter
+from .input import GenerateInput, warn_if_tty
+from ..compare.spdx import SpdxSbomCompare
+from ..compare.cdx import CdxSbomCompare
+from ..sbom import SBOMType
+
+
+logger = logging.getLogger(__name__)
+
+
+class CompareCmd(GenerateInput):
+    """
+    Compare two SBOMs and generate a new SBOM containing only the additional components found in the target
+    """
+
+    @classmethod
+    def run(cls, args):
+        if args.base_sbom == "-" or args.target_sbom == "-":
+            warn_if_tty()
+            if args.sbom_type is None:
+                raise ValueError("option --sbom-type is required when reading SBOMs from stdin")
+            decoder = json.JSONDecoder()
+        else:
+            base_sbom_fmt = None
+            target_sbom_fmt = None
+            base_sbom_path = Path(args.base_sbom)
+            target_sbom_path = Path(args.target_sbom)
+
+            if ".spdx" in base_sbom_path.suffixes:
+                base_sbom_fmt = "spdx"
+            elif ".cdx" in target_sbom_path.suffixes:
+                base_sbom_fmt = "cdx"
+
+            if ".spdx" in target_sbom_path.suffixes:
+                target_sbom_fmt = "spdx"
+            elif ".cdx" in target_sbom_path.suffixes:
+                target_sbom_fmt = "cdx"
+
+        if not base_sbom_fmt or not target_sbom_fmt:
+            raise ValueError("can not detect SBOM format for one or both files")
+
+        if base_sbom_fmt != target_sbom_fmt:
+            raise ValueError("can not compare mixed SPDX and CycloneDX documents")
+
+        if target_sbom_fmt == "spdx":
+            base_sbom_obj = SpdxBomReader.read_file(args.base_sbom)
+            target_sbom_obj = SpdxBomReader.read_file(args.target_sbom)
+            sbom_compare = SpdxSbomCompare(
+                distro_name=args.distro_name,
+                distro_supplier=args.distro_supplier,
+                distro_version=args.distro_version,
+                base_distro_vendor=args.base_distro_vendor,
+                spdx_namespace=args.spdx_namespace,
+                cdx_serialnumber=args.cdx_serialnumber,
+                timestamp=args.timestamp,
+            )
+            bom = sbom_compare.compare(base_sbom_obj, target_sbom_obj)
+            if args.out == "-":
+                BomWriter.write_to_stream(bom, SBOMType.SPDX, sys.stdout, args.validate)
+            else:
+                out = args.out
+                if not out.endswith(".spdx.json"):
+                    out += ".spdx.json"
+                BomWriter.write_to_file(bom, SBOMType.SPDX, Path(out), args.validate)
+
+        if target_sbom_fmt == "cdx":
+            base_sbom_obj = CdxBomReader.read_file(args.base_sbom)
+            target_sbom_obj = CdxBomReader.read_file(args.target_sbom)
+            sbom_compare = CdxSbomCompare(
+                distro_name=args.distro_name,
+                distro_supplier=args.distro_supplier,
+                distro_version=args.distro_version,
+                base_distro_vendor=args.base_distro_vendor,
+                spdx_namespace=args.spdx_namespace,
+                cdx_serialnumber=args.cdx_serialnumber,
+                timestamp=args.timestamp,
+            )
+            bom = sbom_compare.compare(base_sbom_obj, target_sbom_obj)
+            if args.out == "-":
+                BomWriter.write_to_stream(bom, SBOMType.CycloneDX, sys.stdout, args.validate)
+            else:
+                out = args.out
+                if not out.endswith(".cdx.json"):
+                    out += ".cdx.json"
+                BomWriter.write_to_file(bom, SBOMType.CycloneDX, Path(out), args.validate)
+
+    @classmethod
+    def setup_parser(cls, parser):
+        cls.parser_add_generate_input_args(parser, default_out="extras")
+        parser.add_argument(
+            "-b",
+            "--base-sbom",
+            required=True,
+            help="Path to the base (reference) SBOM file"
+        )
+
+        parser.add_argument(
+            "-n",
+            "--target-sbom",
+            required=True,
+            help="Path to the target (new) SBOM file"
+        )

src/debsbom/compare/cdx.py

@@ -0,0 +1,91 @@
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+from collections.abc import Callable
+from cyclonedx.model import HashAlgorithm
+from cyclonedx.model.bom import Bom
+from cyclonedx.model.component import Component
+from cyclonedx.model.dependency import Dependency
+import itertools
+import logging
+from sortedcontainers import SortedSet
+from uuid import uuid4
+
+from .compare import SbomCompare
+from ..generate.cdx import make_distro_component, make_metadata
+
+
+logger = logging.getLogger(__name__)
+
+
+class CdxSbomCompare(SbomCompare):
+    def _load_cdx_sbom(self, sbom):
+        ""
+        components = {}
+        logger.info(f"Processing BOM '{sbom.metadata.component.name}'")
+
+        for component in sbom.components:
+            purl = component.purl
+            components[purl] = component
+
+        return components
+
+    def _get_cdx_comp_sha256(self, component):
+        for comp_hash in component.hashes:
+            if comp_hash.alg == HashAlgorithm.SHA_256:
+                return comp_hash.content
+
+        return None
+
+
+    def compare(self, base_sbom, target_sbom) -> Bom:
+        base_sbom_comp = self._load_cdx_sbom(base_sbom)
+        target_sbom_comp = self._load_cdx_sbom(target_sbom)
+
+        extras = []
+
+        for purl, component in target_sbom_comp.items():
+            if purl is None:
+                logger.warning(f"missing PURL for component '{component.name}'")
+                continue
+            base_comp_info = base_sbom_comp.get(purl)
+
+            if base_comp_info is None:
+                extras.append(component)
+            else:
+                base_comp_sha256 = self._get_cdx_comp_sha256(base_comp_info)
+                target_comp_sha256 = self._get_cdx_comp_sha256(component)
+
+                if None not in (base_comp_sha256, target_comp_sha256) and base_comp_sha256 != target_comp_sha256:
+                    extras.append(component)
+
+        distro_component = make_distro_component(
+            self.distro_name, self.distro_version, self.distro_supplier
+        )
+        bom_metadata = make_metadata(distro_component, self.timestamp)
+
+        #distro_deps = []
+        #for root_bom_ref in root_bom_refs:
+        #    distro_deps.append(Dependency(ref=root_bom_ref))
+
+        #dependency = Dependency(
+        #    ref=distro_component.bom_ref,
+        #    dependencies=distro_deps,
+        #)
+        #logger.debug(f"Created distro dependency: {dependency}")
+        #dependencies[dependency.ref] = dependency
+
+
+        if self.cdx_serialnumber is None:
+            serial_number = uuid4()
+        else:
+            serial_number = self.cdx_serialnumber
+
+        bom = Bom(
+            serial_number=serial_number,
+            metadata=bom_metadata,
+            components=list(extras),
+        )
+
+        return bom

src/debsbom/compare/compare.py

@@ -0,0 +1,40 @@
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+from abc import abstractmethod
+from collections.abc import Callable
+from datetime import datetime
+from uuid import UUID
+
+
+class SbomCompare:
+    """Base class for comparing SBOMs."""
+
+    def __init__(
+        self,
+        distro_name: str,
+        distro_supplier: str | None = None,
+        distro_version: str | None = None,
+        base_distro_vendor: str | None = "debian",
+        spdx_namespace: tuple | None = None,  # 6 item tuple representing an URL
+        cdx_serialnumber: UUID | None = None,
+        timestamp: datetime | None = None,
+    ):
+        self.distro_name = distro_name
+        self.distro_supplier = distro_supplier
+        self.distro_version = distro_version
+        self.base_distro_vendor = base_distro_vendor
+        self.namespace = spdx_namespace
+        self.cdx_serialnumber = cdx_serialnumber
+        if timestamp is None:
+            self.timestamp = datetime.now()
+        else:
+            self.timestamp = timestamp
+
+    @classmethod
+    @abstractmethod
+    #def merge(cls, sboms, progress_cb: Callable[[int, int, str], None] | None = None):
+    def compare(cls, base_sbom, target_sbom):
+        """Compare the SBOMs."""
+        raise NotImplementedError()

src/debsbom/compare/spdx.py

@@ -0,0 +1,124 @@
+# Copyright (C) 2025 Siemens
+#
+# SPDX-License-Identifier: MIT
+
+from collections.abc import Callable
+import itertools
+import logging
+from spdx_tools.spdx.model.checksum import Checksum, ChecksumAlgorithm
+from spdx_tools.spdx.model.document import Document
+from spdx_tools.spdx.model.spdx_no_assertion import SpdxNoAssertion
+from spdx_tools.spdx.model.package import Package
+from spdx_tools.spdx.model.relationship import Relationship, RelationshipType
+
+from ..generate.spdx import make_creation_info, make_distro_package
+from .compare import SbomCompare
+from ..sbom import (
+    SPDX_REF_DOCUMENT,
+    SPDX_REFERENCE_TYPE_PURL,
+)
+
+
+logger = logging.getLogger(__name__)
+
+
+class SpdxSbomCompare(SbomCompare):
+    def _load_spdx_sbom(self, sbom):
+        ""
+        packages = {}
+        logger.info(f"Processing BOM '{sbom.creation_info.name}'")
+
+        for package in sbom.packages:
+            for external_ref in package.external_references:
+                if external_ref.reference_type == SPDX_REFERENCE_TYPE_PURL:
+                    purl = external_ref.locator
+                    packages[purl] = package
+
+        return packages
+
+    def _get_spdx_pkg_sha256(self, package):
+        for checksum in package.checksums:
+            if checksum.algorithm == ChecksumAlgorithm.SHA256:
+                return checksum.value
+        return None
+
+    def compare(self, base_sbom, target_sbom) -> Document:
+        base_sbom_pkgs = self._load_spdx_sbom(base_sbom)
+        target_sbom_pkgs = self._load_spdx_sbom(target_sbom)
+
+        extras = []
+
+        for purl, package in target_sbom_pkgs.items():
+            base_pkg = base_sbom_pkgs.get(purl)
+
+            if base_pkg is None:
+                extras.append(package)
+            else:
+                base_pkg_sha256 = self._get_spdx_pkg_sha256(base_pkg)
+                target_pkg_sha256 = self._get_spdx_pkg_sha256(package)
+                if None not in (base_pkg_sha256, target_pkg_sha256) and base_pkg_sha256 != target_pkg_sha256:
+                    extras.append(package)
+
+        #for rel in doc.relationships:
+        #    if progress_cb:
+        #        progress_cb(cur_step, num_steps, f"Relationship: {rel.spdx_element_id}")
+        #        cur_step += 1
+        #    if (
+        #        rel.spdx_element_id == SPDX_REF_DOCUMENT
+        #        and rel.relationship_type == RelationshipType.DESCRIBES
+        #    ):
+                # skip adding the root DESCRIBES relationship
+        #        continue
+        #    element_id = rel.spdx_element_id
+        #    if element_id in id_map:
+        #        rel.spdx_element_id = id_map[rel.spdx_element_id]
+        #    rel_element_id = rel.related_spdx_element_id
+        #    if rel_element_id in id_map:
+        #        rel.related_spdx_element_id = id_map[rel.related_spdx_element_id]
+
+            # we can not use a set since the relationships
+            # do not implement hash(..), so create the hash by hand
+         #   rel_hash = self._hash_relationship(rel)
+         #   if rel_hash not in relationships:
+         #       relationships[rel_hash] = rel
+
+        #distro_pkg = make_distro_package(
+        #    distro_name=self.distro_name,
+        #    distro_version=self.distro_version,
+        #    distro_supplier=self.distro_supplier,
+        #)
+        #distro_ref = distro_pkg.spdx_id
+        #packages[distro_ref] = distro_pkg
+
+        # set up relationships between the distro package and the merged documents
+        #relationships = list(
+        #    itertools.chain(
+        #        relationships.values(),
+        #        map(
+        #            lambda root_id: Relationship(
+        #                spdx_element_id=root_id,
+        #                relationship_type=RelationshipType.PACKAGE_OF,
+        #                related_spdx_element_id=distro_ref,
+        #            ),
+        #            root_ids,
+        #        ),
+        #    )
+        #)
+
+        #distro_relationship = Relationship(
+        #    spdx_element_id=SPDX_REF_DOCUMENT,
+        #    relationship_type=RelationshipType.DESCRIBES,
+        #    related_spdx_element_id=distro_ref,
+        #)
+        #logger.debug(f"Created document relationship: {distro_relationship}")
+
+        #relationships.append(distro_relationship)
+
+        #packages = itertools.chain(packages.values(), non_purl_packages)
+
+        creation_info = make_creation_info(self.distro_name, self.namespace, self.timestamp)
+        document = Document(
+            creation_info=creation_info,
+            packages=list(extras),
+        )
+        return document