Convert with CycloneDX

Stefan Alfbo - Jun 13 '23 - - Dev Community

The CycloneDX project has a CLI tool which of course is called CycloneDX CLI.

The tool has several features like analysis, modification, diffing, merging, format conversion, signing and verification. Lets try to convert a SBOM with the SPDX format to a CycloneDX format. When converting between different formats you might loose some information since they have different features and advantages.

Starting with downloading a docker image and get a terminal prompt:

> docker run -it --entrypoint=/bin/bash cyclonedx/cyclonedx-cli 
Enter fullscreen mode Exit fullscreen mode

Next step is to copy a spdx file to the container, so in a new terminal window:

# First find out the name of the container, in this case nice_feynman
> docker ps
CONTAINER ID   IMAGE                     COMMAND       CREATED              STATUS              PORTS     NAMES
e2dafb2c2919   cyclonedx/cyclonedx-cli   "/bin/bash"   About a minute ago   Up About a minute             nice_feynman

# Then copy the file to the container
> docker cp ./spdx.json nice_feynman:/spdx.json
Successfully copied 13.37kB to nice_feynman:/spdx.json
Enter fullscreen mode Exit fullscreen mode

Now it's time for the convert command, lets run this command in the first terminal window with the container prompt:

> cyclonedx convert --input-file spdx.json --output-file cyclonedx.xml 

# It should now be a cyclonedx.xml available in the container
> ls cyclonedx.xml
cyclonedx.xml
Enter fullscreen mode Exit fullscreen mode

The convert command has more flags to specify the formats of the input and output files.

convert
Convert between different BOM formats

Usage:
cyclonedx convert [options]

Options:
--input-file > Input BOM filename.
--output-file > Output BOM filename.
--input-format <autodetect|csv|json|protobuf|spdxjson|xml> Specify input file format.
--output-format <autodetect|csv|json|protobuf|spdxjson|xml> Specify output file format.
--output-version <v1_0|v1_1|v1_2|v1_3|v1_4> Specify output BOM specification version. (ignored for CSV and SPDX formats)

The last step is to copy the cyclonedx.xml file to your host machine, which should be done in the same terminal window you had for the previous copy:

> docker cp nice_feynman:/cyclonedx.xml ./cyclonedx.xml
Successfully copied 13.37kB to ./cyclonedx.xml
Enter fullscreen mode Exit fullscreen mode
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .