renovate-to-sbom
renovate-to-sbom
Convert Renovate data exports to SBOMs
Usage
renovate-to-sbom 'path/to/*.json'
Examples
# to convert file(s) from renovate-graph's output:
renovate-to-sbom '../out/*.json' --out-format spdx2.3+json
# to convert file(s) from Renovate's debug logs (https://dmd.tanna.dev/cookbooks/consuming-renovate-debug-logs):
renovate-to-sbom renovate.log --out-format cyclonedx1.5+json
# to only include known pURL types, for instance if the consumer of this SBOM may be stricter on the types it supports
renovate-to-sbom renovate-output.json --out-format cyclonedx1.5+json --only-include-known-purl-types
Synopsis
Convert Renovate data exports to Software Bill of Materials (SBOMs)
Takes a data export from https://gitlab.com/tanna.dev/renovate-graph/ or the debug logs that come from Renovate (https://dmd.tanna.dev/cookbooks/consuming-renovate-debug-logs) and converts it to a Software Bill of Materials (SBOM).
Options
| Flag (type) | Usage | Notes |
|---|---|---|
-h, --help
|
help for renovate-to-sbom |
|
--include-unexact-versions
|
When parsing a Renovate data export, if no CurrentVersion is discovered, the dependency will be ignored by default, as the dependency's Version is very likely not an exact version. However, it may be useful to include these dependencies in the resulting export, which can be re-enabled with this flag |
|
--no-progress
|
Whether to display progress bar while processing file(s) |
|
--only-include-known-purl-types
|
Whether to remove any dependencies from the resulting SBOMs if the Package URL (pURL) is not a known type according to the underlying pURL library |
|
--out-format (string)
|
Output SBOM format. Supported: [spdx2.3+json, cyclonedx1.5+json] |
|
--out-path (string)
|
Path to output generated SBOMs to |
|