Know exactly what changed in your software supply chain.
Semantic SBOM diff and analysis tool. Compare, validate, and assess the quality of SBOMs across CycloneDX and SPDX formats.
- Semantic Diffing — Component-level change detection (added, removed, modified), dependency graph diffing, vulnerability tracking, and license change analysis
- Multi-Format Support — CycloneDX (1.4–1.7) and SPDX (2.2–2.3, 3.0) in JSON, JSON-LD, XML, tag-value, and RDF/XML with automatic format detection
- Streaming Parser — Memory-efficient parsing for very large SBOMs (>512MB) with progress reporting
- Fuzzy Matching — Multi-tier matching engine using exact PURL match, alias lookup, ecosystem-specific normalization, and string similarity with adaptive thresholds and LSH indexing
- Vulnerability Enrichment — Integration with OSV and KEV databases to track new and resolved vulnerabilities (feature-gated)
- EOL Detection — End-of-life status for components via endoflife.date API with TUI visualization and compliance integration (feature-gated)
- Quality Assessment — Score SBOMs against compliance standards including NTIA, FDA, CRA (Cyber Resilience Act), NIST SSDF, and EO 14028
- Fleet Comparison — 1:N baseline comparison, timeline analysis across versions, and NxN matrix analysis
- Incremental Diff — Track changes across SBOM versions with drift detection and divergence analysis
- Multiple Output Formats — JSON, SARIF, HTML, Markdown, CSV, table, side-by-side, summary, and an interactive TUI
- Ecosystem-Aware — Configurable per-ecosystem normalization rules, typosquat detection, and cross-ecosystem package correlation
brew install sbom-tool/tap/sbom-toolsDownload from GitHub Releases:
# Linux (x86_64)
curl -sSL https://github.com/sbom-tool/sbom-tools/releases/latest/download/sbom-tools-linux-x86_64.tar.gz | tar xz
sudo mv sbom-tools /usr/local/bin/
# macOS (Apple Silicon)
curl -sSL https://github.com/sbom-tool/sbom-tools/releases/latest/download/sbom-tools-macos-aarch64.tar.gz | tar xz
sudo mv sbom-tools /usr/local/bin/
# macOS (Intel)
curl -sSL https://github.com/sbom-tool/sbom-tools/releases/latest/download/sbom-tools-macos-x86_64.tar.gz | tar xz
sudo mv sbom-tools /usr/local/bin/Each pre-built archive is signed with Sigstore and has a GitHub build attestation. To verify a download:
# Verify Sigstore signature (requires cosign)
cosign verify-blob \
--bundle sbom-tools-macos-aarch64.tar.gz.bundle \
--certificate-identity 'https://github.com/sbom-tool/sbom-tools/.github/workflows/publish-crates.yml@refs/tags/v0.1.15' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
sbom-tools-macos-aarch64.tar.gz
# Verify GitHub attestation (requires gh CLI)
gh attestation verify sbom-tools-macos-aarch64.tar.gz \
--repo sbom-tool/sbom-toolsReplace v0.1.15 with the version you downloaded. Homebrew users do not need to verify manually — Homebrew validates the source tarball SHA256 automatically.
# Fast install (downloads pre-built binary)
cargo binstall sbom-tools
# Or compile from source
cargo install sbom-toolsRequires Rust 1.88+.
# Release build (includes vulnerability enrichment by default)
cargo build --release
# Without enrichment (lightweight build)
cargo build --release --no-default-featuresThe binary is placed at target/release/sbom-tools.
# Compare two SBOMs
sbom-tools diff old-sbom.json new-sbom.json
# View SBOM contents interactively
sbom-tools view sbom.json
# Search for components across SBOMs
sbom-tools query "log4j" --version "<2.17.0" fleet/*.json
# Validate compliance
sbom-tools validate sbom.json --standard ntia
# Assess quality
sbom-tools quality sbom.json --profile security --recommendationssbom-tools diff old-sbom.json new-sbom.jsonCompares two SBOMs and reports added, removed, and modified components with version diffs, vulnerability changes, and license deltas.
Diff options
| Flag | Description |
|---|---|
--fail-on-change |
Exit with code 1 if changes are detected |
--fail-on-vuln |
Exit with code 2 if new vulnerabilities are introduced |
--graph-diff |
Enable dependency graph structure diffing |
--ecosystem-rules <path> |
Load custom per-ecosystem normalization rules |
--fuzzy-preset <preset> |
Matching preset: strict, balanced (default), permissive |
--enrich-vulns |
Query OSV/KEV databases for vulnerability data |
--enrich-eol |
Detect end-of-life status via endoflife.date API |
--detect-typosquats |
Flag components that look like known-package typosquats |
--explain-matches |
Show why each component pair was matched |
Example output
sbom-tools diff old-sbom.json new-sbom.json --enrich-vulns
SBOM Diff: old-sbom.json → new-sbom.json
Components: 142 → 145 (+5 added, -2 removed, ~3 modified)
+ pkg:npm/express@4.19.2 (added)
+ pkg:npm/zod@3.23.8 (added)
+ pkg:npm/opentelemetry-api@1.9.0 (added)
+ pkg:npm/ws@8.18.0 (added)
+ pkg:npm/pino@9.3.2 (added)
- pkg:npm/body-parser@1.20.2 (removed)
- pkg:npm/winston@3.11.0 (removed)
~ pkg:npm/lodash@4.17.20 → 4.17.21 (version bump)
~ pkg:npm/axios@1.6.0 → 1.7.4 (version bump)
~ pkg:npm/semver@7.5.4 → 7.6.3 (version bump)
Vulnerabilities:
✗ CVE-2024-29041 (HIGH) — express <4.19.2 [resolved by upgrade]
✗ CVE-2024-4068 (HIGH) — braces <3.0.3 [new, in transitive dep]
License changes: none
sbom-tools view sbom.jsonLaunches an interactive TUI with component tree, vulnerability details, license breakdown, and dependency graph.
View options
| Flag | Description |
|---|---|
--severity <level> |
Filter by minimum vulnerability severity (critical, high, medium, low) |
--vulnerable-only |
Only show components with known vulnerabilities |
--ecosystem <name> |
Filter components by ecosystem (e.g., npm, cargo, pypi) |
--enrich-eol |
Detect end-of-life status via endoflife.date API |
--validate-ntia |
Validate against NTIA minimum elements |
sbom-tools validate sbom.json --standard ntia
sbom-tools validate sbom.json --standard cra -o sarif -O results.sarifChecks an SBOM against a compliance standard and reports missing fields or failing requirements.
Validate options
| Flag | Description |
|---|---|
--standard <std> |
Standard to validate: ntia (default), fda, cra, ssdf, eo14028 (comma-separated for multiple) |
-o, --output <fmt> |
Output format (default: json; supports sarif for CI integration) |
sbom-tools quality sbom.json --profile security --recommendationsScores an SBOM from 0–100 using a weighted profile. Use --min-score to fail CI if quality drops below a threshold.
Quality options
| Flag | Description |
|---|---|
--profile <name> |
Scoring profile: minimal, standard (default), security, license-compliance, cra, comprehensive |
--min-score <n> |
Fail if quality score is below threshold (0–100) |
--recommendations |
Show detailed improvement recommendations |
--metrics |
Show detailed scoring metrics |
sbom-tools query "log4j" sbom1.json sbom2.json sbom3.jsonSearch for components across multiple SBOMs by name, version, ecosystem, license, supplier, or vulnerability ID. Answers the "where is Log4j?" question across your entire SBOM fleet.
Query options
| Flag | Description |
|---|---|
--name <str> |
Filter by component name (substring) |
--version <ver> |
Filter by version — exact match or semver range (e.g., <2.17.0) |
--ecosystem <eco> |
Filter by ecosystem (e.g., npm, maven, pypi) |
--license <str> |
Filter by license (substring) |
--purl <str> |
Filter by PURL (substring) |
--supplier <str> |
Filter by supplier name (substring) |
--affected-by <id> |
Filter by vulnerability ID (e.g., CVE-2021-44228) |
--enrich-vulns |
Query OSV databases for vulnerability data |
--enrich-eol |
Detect end-of-life status via endoflife.date API |
--limit <n> |
Maximum number of results |
--group-by-sbom |
Group output by SBOM source |
Example output
$ sbom-tools query "log4j" --version "<2.17.0" fleet/*.cdx.json
Query: "log4j" AND version=<2.17.0 across 5 SBOMs (1247 total components)
COMPONENT VERSION ECOSYSTEM LICENSE VULNS FOUND IN
log4j 2.14.0 maven Apache-2.0 1 firmware-v1, device-a
log4j 2.14.1 maven Apache-2.0 1 gateway
2 components found across 5 SBOMs
$ sbom-tools query --ecosystem pypi *.json --group-by-sbom
Query: ecosystem=pypi across 2 SBOMs (33 total components)
── backend-v3 (4 matches / 18 components) ──
django 4.2.11 (pypi)
flask 3.0.2 (pypi)
celery 5.3.6 (pypi)
numpy 1.26.4 (pypi)
── backend-v2 (4 matches / 15 components) ──
django 3.2.23 (pypi)
flask 2.2.5 (pypi)
celery 5.3.4 (pypi)
numpy 1.24.4 (pypi)
8 components found across 2 SBOMs
Compare multiple SBOMs across a project portfolio:
# Compare a baseline against multiple targets (1:N)
sbom-tools diff-multi baseline.json target1.json target2.json target3.json
# Track evolution over time (provide SBOMs in chronological order)
sbom-tools timeline v1.json v2.json v3.json
# All-pairs comparison matrix (NxN)
sbom-tools matrix sbom1.json sbom2.json sbom3.jsonsbom-tools completions bash > ~/.local/share/bash-completion/completions/sbom-tools
sbom-tools completions zsh > ~/.zfunc/_sbom-tools
sbom-tools completions fish > ~/.config/fish/completions/sbom-tools.fish| Flag | Description |
|---|---|
-o, --output <fmt> |
Output format (see Output Formats) |
-v, --verbose |
Enable debug output |
-q, --quiet |
Suppress non-essential output |
--no-color |
Disable colored output (also respects NO_COLOR) |
Both diff and view commands launch an interactive terminal UI by default when connected to a TTY.
Compare two SBOMs with semantic change detection across 9 tabs.
Summary — Overall change score with component, vulnerability, and compliance breakdowns at a glance.
Components — Every added, removed, and modified component with version diffs and ecosystem tags.
More diff screenshots
Side-by-Side — Aligned dual-panel comparison with synchronized scrolling.
Source — Raw SBOM JSON in a synced dual-panel tree view. Press s to lock navigation across panels.
Compliance — CRA, NTIA, FDA, NIST SSDF, and EO 14028 readiness checks with pass/fail details for each requirement.
Explore a single SBOM interactively across 8 tabs.
Overview — SBOM metadata, component statistics, and vulnerability summary.
Components — Expandable component tree grouped by ecosystem.
More view screenshots
Vulnerabilities — CVE table with severity, CVSS scores, and affected components.
Quality — Weighted quality score with category breakdown and improvement recommendations.
| Key | Action |
|---|---|
1–0 / Tab |
Switch tabs |
↑↓ / jk |
Navigate items |
Enter / Space |
Expand / collapse |
/ |
Search |
f |
Filter panel |
s |
Sync panels (Source) / sort |
w |
Switch focus (Source, Side-by-Side) |
v |
Tree / raw toggle (Source) |
e |
Export |
T |
Cycle theme |
q |
Quit |
Select with -o / --output:
| Format | Flag | Use Case |
|---|---|---|
| Auto | auto |
Default — TUI if TTY, summary otherwise |
| TUI | tui |
Interactive exploration |
| JSON | json |
Programmatic integration |
| SARIF | sarif |
CI/CD security dashboards (SARIF 2.1.0) |
| Markdown | markdown |
Documentation, PR comments |
| HTML | html |
Stakeholder reports |
| CSV | csv |
Spreadsheet analysis |
| Summary | summary |
Terminal quick overview |
| Table | table |
Aligned, colored terminal output |
| Side-by-side | side-by-side |
Terminal diff comparison |
Use sbom-tools in CI pipelines to gate deployments on SBOM changes, new vulnerabilities, or quality regressions.
# Fail if any components changed
sbom-tools diff old.json new.json --fail-on-change -o summary
# Fail if new vulnerabilities are introduced, output SARIF for dashboards
sbom-tools diff old.json new.json --fail-on-vuln --enrich-vulns -o sarif -O results.sarif
# Fail if quality score drops below 80
sbom-tools quality sbom.json --profile security --min-score 80 -o json
# Validate CRA compliance
sbom-tools validate sbom.json --standard cra -o sarif -O compliance.sarif
# Check for vulnerable Log4j versions across all SBOMs (exits 1 if found)
sbom-tools query "log4j" --version "<2.17.0" fleet/*.json -o jsonGitHub Actions — using the action (recommended)
name: SBOM Check
on:
pull_request:
paths: ['sbom.json']
jobs:
sbom-diff:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Get previous SBOM
run: git show HEAD~1:sbom.json > /tmp/old-sbom.json
- name: Diff SBOM
uses: sbom-tool/sbom-tools-action@v1
with:
command: diff
args: /tmp/old-sbom.json sbom.json
fail-on-vuln: true
enrich-vulns: true
output-format: sarif
output-file: results.sarif
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
sbom-quality:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check quality
uses: sbom-tool/sbom-tools-action@v1
with:
command: quality
args: sbom.json
profile: security
min-score: '80'
sbom-compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate CRA compliance
uses: sbom-tool/sbom-tools-action@v1
with:
command: validate
args: sbom.json
standard: cra
output-format: sarif
output-file: compliance.sarifGitHub Actions — manual binary download
name: SBOM Check
on:
pull_request:
paths: ['sbom.json']
jobs:
sbom-gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Install sbom-tools
run: |
curl -fsSL -o sbom-tools.tar.gz \
https://github.com/sbom-tool/sbom-tools/releases/latest/download/sbom-tools-linux-x86_64.tar.gz
tar xzf sbom-tools.tar.gz
sudo mv sbom-tools /usr/local/bin/
- name: Diff SBOM against main
run: |
git show HEAD~1:sbom.json > /tmp/old-sbom.json
sbom-tools diff /tmp/old-sbom.json sbom.json \
--fail-on-vuln --enrich-vulns \
-o sarif -O results.sarif
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif| Code | Meaning |
|---|---|
0 |
Success (no changes detected, or run without --fail-on-change) |
1 |
Changes detected (--fail-on-change) |
2 |
New vulnerabilities introduced (--fail-on-vuln) |
3 |
Error |
4 |
VEX coverage gaps found (--fail-on-vex-gap) |
sbom-tools looks for configuration in the following order:
- CLI argument:
--ecosystem-rules <path> - Environment variable:
SBOM_TOOLS_ECOSYSTEM_RULES - Project local:
.sbom-tools/ecosystem-rules.yaml - User config:
~/.config/sbom-tools/ecosystem-rules.yaml
See examples/ecosystem-rules.yaml for a full configuration example covering per-ecosystem normalization, aliases, matching presets, and enrichment settings.
| Preset | Description |
|---|---|
strict |
Exact matches only |
balanced |
Default — uses normalization and moderate similarity thresholds |
permissive |
Aggressive fuzzy matching for noisy SBOMs |
src/
├── cli/ Command handlers (diff, view, validate, quality, query, fleet commands)
├── config/ YAML/JSON config with presets, validation, schema generation
├── model/ Canonical SBOM representation (NormalizedSbom, Component, CanonicalId)
├── parsers/ Format detection + parsing (streaming for >512MB)
├── matching/ Multi-tier fuzzy matching (PURL, alias, ecosystem, adaptive, LSH)
├── diff/ Semantic diffing engine with graph support + incremental diff
├── enrichment/ OSV/KEV vulnerability data + EOL detection (feature-gated), file cache with TTL
├── quality/ NTIA/FDA/CRA/NIST SSDF/EO 14028 compliance scoring
├── pipeline/ parse → enrich → diff → report orchestration
├── reports/ Output format generators + streaming reporter
└── tui/ Ratatui-based interactive UI
See docs/ARCHITECTURE.md for detailed module responsibilities and data flow.
# Run all tests
cargo test
# Run benchmarks
cargo benchContributions are welcome! Please open an issue to discuss your idea before submitting a pull request. Make sure cargo test passes and follow the existing code style.