Crate sbom_tools 

A powerful library for working with Software Bills of Materials (SBOMs).

sbom-tools provides a comprehensive suite of tools for parsing, analyzing, diffing, and enriching software bills of materials. It is designed to be a foundational library for supply chain security, compliance, and dependency management workflows.

The library supports common SBOM formats like CycloneDX and SPDX and normalizes them into a unified, easy-to-use data model. It powers both a command-line interface (CLI) for direct use and a Rust library for programmatic integration into your own applications.

Key Features

• Multi-Format Parsing: Ingests CycloneDX (JSON) and SPDX (JSON, Tag-Value) files, with automatic format detection.
• Intelligent Diffing: Performs semantic diffs between two SBOMs to identify changes in components, dependencies, licenses, and vulnerabilities.
• Data Enrichment: Augments SBOMs with external data, including:
  • Vulnerability Information: Fetches vulnerability data from the OSV (Open Source Vulnerability) database.
  • End-of-Life (EOL) Status: Checks components against the endoflife.date API to identify unsupported software.
  • More enrichers for staleness, KEV, etc.
• Quality & Compliance Scoring: Checks SBOMs for compliance against established standards like NTIA Minimum Elements and the EU Cyber Resilience Act (CRA).
• Flexible Reporting: Generates analysis reports in multiple formats, including JSON, Markdown, SARIF, and a full-featured interactive Terminal UI (TUI).

Core Concepts & Modules

The library is organized into several key modules:

• model: Defines the central data structure, NormalizedSbom. Regardless of the input format (CycloneDX or SPDX), the library parses it into this unified model. This allows you to work with a consistent and predictable API for all your SBOM analysis tasks.
• pipeline: Contains the primary functions for processing SBOMs. You can use the functions in this module to construct a pipeline to parse, enrich, and generate reports in a single, streamlined operation.
• diff: Home of the DiffEngine, which performs a semantic comparison of two NormalizedSbom objects.
• enrichment: Provides Enricher traits and implementations for augmenting SBOMs with external data. Requires the enrichment feature flag.
• quality: Contains the [ComplianceChecker] for validating SBOMs against standards and the QualityScorer for grading overall quality.
• reports: Includes generators for creating output reports in various formats.

Getting Started: Parsing an SBOM

The most common entry point is to parse an existing SBOM file using the pipeline module. The library will automatically detect the format and return a NormalizedSbom.

use std::path::Path;
use sbom_tools::parse_sbom;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let sbom = parse_sbom(Path::new("path/to/your/sbom.json"))?;

    println!(
        "Successfully parsed SBOM for '{}' with {} components.",
        sbom.document.name.unwrap_or_else(|| "Unknown".to_string()),
        sbom.components.len()
    );

    Ok(())
}

Examples

Below are examples for other common use cases.

Diffing Two SBOMs

The DiffEngine identifies what has been added, removed, or modified between an “old” and a “new” SBOM.

use std::path::Path;
use sbom_tools::{parse_sbom, DiffEngine};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let old_sbom = parse_sbom(Path::new("path/to/old-sbom.json"))?;
    let new_sbom = parse_sbom(Path::new("path/to/new-sbom.json"))?;

    let engine = DiffEngine::new();
    let diff = engine.diff(&old_sbom, &new_sbom)?;

    println!("Components Added: {}", diff.components.added.len());
    println!("Components Removed: {}", diff.components.removed.len());

    for added in &diff.components.added {
        println!("  + {} {}", added.name,
            added.new_version.as_deref().unwrap_or(""));
    }

    Ok(())
}

Enriching with Vulnerability and End-of-Life (EOL) Data

You can configure the processing pipeline to run enrichment stages. The following example enables both OSV vulnerability scanning and EOL status checking.

Note: This requires the enrichment feature flag to be enabled.

use sbom_tools::parse_sbom;
use sbom_tools::model::EolStatus;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut sbom = parse_sbom("path/to/your/sbom.json")?;

    // Enrich with OSV vulnerability data (requires `enrichment` feature)
    #[cfg(feature = "enrichment")]
    {
        use sbom_tools::{OsvEnricher, OsvEnricherConfig, VulnerabilityEnricher};
        let enricher = OsvEnricher::new(OsvEnricherConfig::default());
        enricher.enrich(&mut sbom)?;
    }

    println!("--- Vulnerability and EOL Report ---");
    for component in sbom.components.values() {
        if !component.vulnerabilities.is_empty() {
            println!("\n[!] Component '{}' has {} vulnerabilities:",
                component.name, component.vulnerabilities.len());
            for vuln in &component.vulnerabilities {
                println!("    - {}: {}", vuln.id,
                    vuln.summary.as_deref().unwrap_or("No summary"));
            }
        }

        if let Some(eol_info) = &component.eol {
            if eol_info.status == EolStatus::EndOfLife {
                println!("\n[!] Component '{}' has reached End-of-Life!",
                    component.name);
                println!("    - Product: {}", eol_info.product);
                if let Some(eol_date) = eol_info.eol_date {
                    println!("    - EOL Date: {}", eol_date);
                }
            }
        }
    }

    Ok(())
}

Checking for Compliance

The [ComplianceChecker] validates an SBOM against a specific standard, such as the EU Cyber Resilience Act (CRA).

use std::path::Path;
use sbom_tools::parse_sbom;
use sbom_tools::quality::{ComplianceChecker, ComplianceLevel};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let sbom = parse_sbom(Path::new("path/to/your/sbom.json"))?;

    // Check against the EU CRA Phase 2 requirements
    let checker = ComplianceChecker::new(ComplianceLevel::CraPhase2);
    let result = checker.check(&sbom);

    if result.is_compliant {
        println!("SBOM is compliant with {}.", result.level.name());
    } else {
        println!("SBOM is NOT compliant with {}. Found {} errors and {} warnings.",
            result.level.name(),
            result.error_count,
            result.warning_count
        );

        for violation in result.violations {
            println!("[{:?}] {}: {}",
                violation.severity, violation.category.name(), violation.message);
        }
    }

    Ok(())
}

Feature Flags

sbom-tools uses feature flags to manage optional functionality and dependencies.

• enrichment: Enables all data enrichment modules, such as OSV and EOL lookups. This adds network dependencies like reqwest.

Command-Line Interface (CLI)

This documentation is for the sbom-tools library crate. If you are looking for the command-line tool, please refer to the project’s README or install it via cargo install sbom-tools.

Re-exports

pub use config::AppConfig;

pub use config::AppConfigBuilder;

pub use config::ConfigPreset;

pub use config::EnrichmentConfig;

pub use config::TuiConfig;

pub use config::BehaviorConfig;

pub use config::FilterConfig;

pub use config::GraphAwareDiffConfig;

pub use config::MatchingConfig;

pub use config::MatchingRulesPathConfig;

pub use config::OutputConfig;

pub use config::ConfigError;

pub use config::Validatable;

pub use config::DiffConfig;

pub use config::MatrixConfig;

pub use config::MultiDiffConfig;

pub use config::QueryConfig;

pub use config::TimelineConfig;

pub use config::ViewConfig;

pub use diff::DiffEngine;

pub use diff::DiffResult;

pub use diff::GraphDiffConfig;

pub use enrichment::EnricherConfig;

pub use enrichment::EnrichmentStats;

pub use enrichment::NoOpEnricher;

pub use enrichment::OsvEnricher;

pub use enrichment::OsvEnricherConfig;

pub use enrichment::VulnerabilityEnricher;

pub use error::ErrorContext;

pub use error::OptionContext;

pub use error::Result;

pub use error::SbomDiffError;

pub use matching::ComponentMatcher;

pub use matching::FuzzyMatchConfig;

pub use matching::FuzzyMatcher;

pub use matching::MatchResult;

pub use matching::MatchTier;

pub use matching::MatchingRulesConfig;

pub use matching::RuleEngine;

pub use model::CanonicalId;

pub use model::Component;

pub use model::ComponentSortKey;

pub use model::NormalizedSbom;

pub use model::NormalizedSbomIndex;

pub use model::SbomIndexBuilder;

pub use parsers::SbomParser;

pub use parsers::parse_sbom;

pub use parsers::parse_sbom_str;

pub use quality::QualityGrade;

pub use quality::QualityReport;

pub use quality::QualityScorer;

pub use quality::ScoringProfile;

pub use reports::ReportFormat;

pub use reports::ReportGenerator;

pub use reports::StreamingReporter;Deprecated

pub use reports::WriterReporter;

pub use tui::CycleFilter;

pub use tui::FilterState;

pub use tui::ListNavigation;

pub use tui::ListState;

pub use tui::OverlayState;

pub use tui::SearchState;

pub use tui::SearchStateCore;

pub use tui::StatusMessage;

pub use tui::ViewModelOverlayKind;

Modules

cli

CLI command handlers.

config

Configuration module for sbom-tools.

diff

Semantic diff engine for SBOMs.

enrichment

Vulnerability enrichment module.

error

Unified error types for sbom-tools.

matching

Fuzzy matching engine for cross-ecosystem package correlation.

model

Intermediate representation for normalized SBOMs.

parsers

SBOM format parsers.

pipeline

Pipeline orchestration for SBOM operations.

quality

SBOM Quality Score module.

reports

Report generation for diff results.

tui

Rich TUI interface using ratatui.

utils

Shared utilities.

watch

Continuous monitoring / watch mode for SBOMs.