|
10 | 10 | **sbom-validator** is a Go library designed to validate |
11 | 11 | **Software Bill of Materials (SBOMs)** against the official |
12 | 12 | SBOM specifications. It ensures compliance with formats like |
13 | | -**CycloneDX** & **SPDX** and helps maintain software supply chain security. |
| 13 | +**CycloneDX**, **SPDX**, and **AI-SBOM** and helps maintain software supply chain security. |
14 | 14 |
|
15 | 15 | ## Features |
16 | 16 |
|
17 | | -✅ Detects SBOM type (e.g., CycloneDX, SPDX) |
| 17 | +✅ Detects SBOM type (e.g., CycloneDX, SPDX, AI-SBOM) |
18 | 18 |
|
19 | 19 | ✅ Extracts SBOM version |
20 | 20 |
|
21 | 21 | ✅ Validates SBOM against official schemas |
22 | 22 |
|
23 | 23 | ✅ Provides detailed validation errors |
24 | 24 |
|
| 25 | +## Supported Formats |
| 26 | + |
| 27 | +- CycloneDX JSON schemas: 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 |
| 28 | +- SPDX JSON schemas: 2.2, 2.3 |
| 29 | +- AI-SBOM JSON schema: 1.0.0 |
| 30 | + |
| 31 | +The AI-SBOM schema is embedded from the immutable schema URL: |
| 32 | + |
| 33 | +```text |
| 34 | +https://shiftleftcyber.io/ai-bom/schemas/ai-sbom-1.0.0.schema.json |
| 35 | +``` |
| 36 | + |
25 | 37 | ## Installation |
26 | 38 |
|
27 | 39 | Use `go get` to install the package: |
@@ -55,6 +67,8 @@ suffix should remain on the `v1` line until they are ready to migrate. |
55 | 67 | package main |
56 | 68 |
|
57 | 69 | import ( |
| 70 | + "encoding/json" |
| 71 | + "flag" |
58 | 72 | "fmt" |
59 | 73 | "log" |
60 | 74 | "os" |
@@ -82,24 +96,24 @@ func main() { |
82 | 96 | } |
83 | 97 |
|
84 | 98 | result, err := sbomvalidator.ValidateSBOMData(jsonData) |
85 | | - if err != nil { |
86 | | - log.Fatalf("Error during validation - %v", err) |
87 | | - } |
| 99 | + if err != nil { |
| 100 | + log.Fatalf("Error during validation - %v", err) |
| 101 | + } |
88 | 102 |
|
89 | 103 | if result.IsValid { |
90 | | - output, _ := json.MarshalIndent(result, "", " ") |
91 | | - fmt.Println(string(output)) |
92 | | - } else { |
93 | | - fmt.Printf("Validation failed! Showing up to %d errors:\n", 10) |
94 | | - |
95 | | - for i, errMsg := range result.ValidationErrors { |
96 | | - if i >= 10 { |
97 | | - fmt.Printf("...and %d more errors.\n", len(result.ValidationErrors)-10) |
98 | | - break |
99 | | - } |
100 | | - fmt.Printf("- %s\n", errMsg) |
101 | | - } |
102 | | - } |
| 104 | + output, _ := json.MarshalIndent(result, "", " ") |
| 105 | + fmt.Println(string(output)) |
| 106 | + } else { |
| 107 | + fmt.Printf("Validation failed! Showing up to %d errors:\n", 10) |
| 108 | + |
| 109 | + for i, errMsg := range result.ValidationErrors { |
| 110 | + if i >= 10 { |
| 111 | + fmt.Printf("...and %d more errors.\n", len(result.ValidationErrors)-10) |
| 112 | + break |
| 113 | + } |
| 114 | + fmt.Printf("- %s\n", errMsg) |
| 115 | + } |
| 116 | + } |
103 | 117 | } |
104 | 118 | ``` |
105 | 119 |
|
@@ -139,8 +153,24 @@ DEBUG: 2026/04/07 14:00:00 CycloneDX version is set to: 1.6 |
139 | 153 | "sbomVersion": "1.6", |
140 | 154 | "detectedFormat": "JSON" |
141 | 155 | } |
| 156 | + |
| 157 | +./bin/sbom-validator-example -file sample-sboms/customer-support-ai-sbom.json |
| 158 | +{ |
| 159 | + "isValid": true, |
| 160 | + "sbomType": "AI-SBOM", |
| 161 | + "sbomVersion": "1.0.0", |
| 162 | + "detectedFormat": "JSON" |
| 163 | +} |
142 | 164 | ``` |
143 | 165 |
|
| 166 | +AI-SBOM examples are included under `sample-sboms/`: |
| 167 | + |
| 168 | +- `customer-support-ai-sbom.json` |
| 169 | +- `medical-triage-ai-sbom.json` |
| 170 | +- `missing-required-metadata.json` |
| 171 | +- `bad-types-and-enums-ai-sbom.json` |
| 172 | +- `unknown-extra-properties-ai-sbom.json` |
| 173 | + |
144 | 174 | ## License |
145 | 175 |
|
146 | 176 | This project is licensed under the MIT License. |
|
0 commit comments