User Guide : SBOM - HatBOM3 (Merge, Diff)

INTRODUCTION

HatBOM3 (Merge, Diff) Merge is a tool that can merge two SBoM files or compare their dependencies.

The Merge operation combines the two SBoM files and into a single SBoM file that includes all components and dependency information from both files.

In the case of Diff, it visualizes the dependency tree and shows differences in dependency components and their respective versions present in each SBoM file.

USAGE

Step 1. Getting Started

To begin HatBOM3 (Merge, Diff), click SBOM in the main page of IoTcube, then proceed by clicking SBoM Binary Operators (Merge, Diff).

Step 2. Select Option (Merge/Diff)

Select one of the Merge and Diff options to choose which operation to use.

The I/O page requires an SBoM *.json file as input. If you do not possess an SBoM file, create one initially using HatBOM1 (Build).

Step 3. Uploading two SBoM files

Upload the two generated SBoM file either by dragging & dropping the file into the upload box, or by selecting from a file dialog.

Note that HatBOM View&Translate only supports SBoM files of CycloneDX and SPDX format.

IoTcube automatically proceeds to the result page when the upload is complete.

Step 4. Browsing the Result (4-1. Merge / 4-2. Diff)

Step 4-1. Browsing the Result (Merge)

The Merge operation of HatBOM3 (Merge, Diff) provides a detailed visualization of the dependency components present in the merged SBoM file. All dependency components in either SBoM file are included in the visualization. The visualized tree shows the OSS, dependency components and their respective versions.

By clicking a node, you can see the files that have dependencies with the selected component.

The result page of HatBOM3 (Merge, Diff) also includes a table of result details, along with the downloadable SBoM Output. By right-clicking the "SBOM Output" button and selecting "Save link as another file", it is possible to download the newly merged SBoM as a json file.

Step 4-2. Browsing the Result (Diff)

The Diff operation of HatBOM3 (Merge, Diff) provides a more advanced form of dependency visualization, in which you can observe the differences of the two SBoM files in terms of dependency components. The visualized tree shows the OSS, dependency components and their respective versions.

You can click the node to see which files are included in the OSS. Colored nodes represent dependency components that are only present in one of the two inputs. Nodes that are connected to a dotted edge represent dependency components that are present in both inputs, but with different versions. By interacting with the checkboxes above the tree, the user can choose which components they want to see in the visualization.

By clicking a node, you can see the files that have dependencies with the selected component. Each colored file path represents dependencies that are only present in one of the two inputs.

Below is a table including the result details. The table shows information such as input file name, format of the input SBoM files, the number of files listed in the SBoM, and more.

Step 5. Further Uses of SBoM with HatBOM

The Merge operation takes two SBoM files as input and returns a newly merged SBoM file.

HatBOM includes other operations that can be done using a SBoM json file.

<strong>HatBOM2 (View, Translate)</strong> visualizes the dependency information present in the SBoM file, while also translating the SBoM into another format. With your newly generated SBoM file in CycloneDX format, you can use HatBOM2 (View, Translate) to change your SBoM from CycloneDX to SPDX format, or vice versa.
<strong>HatBOM4 (Validate)</strong> aims to evaluate whether a SBoM's dependency information is identical to the actual dependencies present in the software's source code. Utilization of HatBOM4 (Validate) enables the user to determine whether a SBoM correctly represents the depedencies of a software.