SBOM "link" feature

[nishakm]

Summary

Given one or more SBOM documents, create a third SBOM document containing external references to those documents.
Something like:

bomctl link sbom1.json sbom2.json ... -o linked_sbom.json

Ideally, bomctl should also be able to express relationships between the components in the sbom:

bomctl link relationship=from:sbom1.json,to:sbom2.json,type:contains

Use Case

Suppose a base container image has an SBOM

graph LR
    A(Distroless Creators)
    B(Distroless container image)
    C(Distroless SBOM)
    A --> B
    A --> C

Loading

And a Go binary has its own SBOM

graph LR
    A(Go Binary Creators)
    B(Go Binary)
    C(Go binary SBOM)
    A --> B
    A --> C

Loading

During containerization of the Go binary, I would also like to create an SBOM for this container which has external references to the base container's SBOM and the go binary's SBOM

graph LR
    A(Distroless Container)
    B(Go Binary)
    C(Containerized Go Binary)
    A -->|FROM distroless:latest| C
    B --> |COPY go_binary|C

    D(Containerized Go Binary SBOM)
    E(Distroless Container SBOM)
    F(Go Binary SBOM)

    D --> |contains|E
    D --> |contains|F
    F --> |dependsOn|E

Loading

[idunbarh]

Thanks @nishakm! Lets talk through this at the next community meeting. 100% agree that this is a required command for bomctl.