sbom-validator is a Go library designed to validate Software Bill of Materials (SBOMs) against the official SBOM specifications. It ensures compliance with formats like CycloneDX & SPDX and helps maintain software supply chain security.
✅ Detects SBOM type (e.g., CycloneDX, SPDX)
✅ Extracts SBOM version
✅ Validates SBOM against official schemas
✅ Provides detailed validation errors
Use go get to install the package:
go get github.com/shiftleftcyber/sbom-validatorpackage main
import (
"fmt"
"log"
"os"
"github.com/shiftleftcyber/sbom-validator"
)
func main() {
sbomPath := flag.String("file", "", "Path to the SBOM JSON file")
flag.Parse()
// Ensure the file path is provided
if *sbomPath == "" {
log.Fatal("Usage: go run main.go -file=<path-to-sbom.json>")
}
// Read SBOM file
jsonData, err := os.ReadFile(*sbomPath)
if err != nil {
log.Fatalf("Failed to read SBOM file: %v", err)
}
result, err := sbomvalidator.ValidateSBOMData(jsonData)
if err != nil {
log.Fatalf("Error during validation - %v", err)
}
if result.IsValid {
output, _ := json.MarshalIndent(result, "", " ")
fmt.Println(string(output))
} else {
fmt.Printf("Validation failed! Showing up to %d errors:\n", 10)
for i, errMsg := range result.ValidationErrors {
if i >= 10 {
fmt.Printf("...and %d more errors.\n", len(result.ValidationErrors)-10)
break
}
fmt.Printf("- %s\n", errMsg)
}
}
}go test ./...or you can use the included Makefile
make testYou can build an example app and pass in an SBOM
make build
./bin/sbom-validator-example -file sample-sboms/sample-1.6.cdx.json
CycloneDX SBOM type detected
CycloneDX version is set to: 1.6
{
"isValid": true,
"sbomType": "CycloneDX",
"sbomVersion": "1.6",
"detectedFormat": "JSON"
}This project is licensed under the MIT License.
Contributions are welcome! Please open an issue or submit a pull request.