sbom-validator is a Go library designed to validate Software Bill of Materials (SBOMs) against the official SBOM specifications. It ensures compliance with formats like CycloneDX & SPDX and helps maintain software supply chain security.
✅ Detects SBOM type (e.g., CycloneDX, SPDX)
✅ Extracts SBOM version
✅ Validates SBOM against official schemas
✅ Provides detailed validation errors
Use go get to install the package:
go get github.com/shiftleftcyber/sbom-validatorpackage main
import (
"fmt"
"log"
"os"
"github.com/shiftleftcyber/sbom-validator"
)
func main() {
sbomPath := flag.String("file", "", "Path to the SBOM JSON file")
flag.Parse()
// Ensure the file path is provided
if *sbomPath == "" {
log.Fatal("Usage: go run main.go -file=<path-to-sbom.json>")
}
// Read SBOM file
jsonData, err := os.ReadFile(*sbomPath)
if err != nil {
log.Fatalf("Failed to read SBOM file: %v", err)
}
isValid, validationErrors, err := sbomvalidator.ValidateSBOMData(jsonData)
if err != nil {
log.Fatalf("Error during validation - %v", err)
}
if isValid {
fmt.Println("SBOM is valid")
} else {
fmt.Printf("Validation failed! Showing up to %d errors:\n", 10)
for i, errMsg := range validationErrors {
if i >= 10 {
fmt.Printf("...and %d more errors.\n", len(validationErrors)-10)
break
}
fmt.Printf("- %s\n", errMsg)
}
}
}go test ./...or you can use the included Makefile
make testThis project is licensed under the MIT License.
Contributions are welcome! Please open an issue or submit a pull request.