README
¶
ShiftSBOM Validator
Overview
sbom-validator is a Go library designed to validate Software Bill of Materials (SBOMs) against the official SBOM specifications. It ensures compliance with formats like CycloneDX & SPDX and helps maintain software supply chain security.
Features
✅ Detects SBOM type (e.g., CycloneDX, SPDX)
✅ Extracts SBOM version
✅ Validates SBOM against official schemas
✅ Provides detailed validation errors
Installation
Use go get to install the package:
go get github.com/shiftleftcyber/sbom-validator/v2@latest
Upgrading To v2
Existing projects pinned to older v1 versions of github.com/shiftleftcyber/sbom-validator
will continue to work without changes.
To upgrade to v2, update your import path and dependency:
go get github.com/shiftleftcyber/sbom-validator/v2@latest
import sbomvalidator "github.com/shiftleftcyber/sbom-validator/v2"
Projects still importing github.com/shiftleftcyber/sbom-validator without the /v2
suffix should remain on the v1 line until they are ready to migrate.
Usage
package main
import (
"fmt"
"log"
"os"
sbomvalidator "github.com/shiftleftcyber/sbom-validator/v2"
)
func main() {
sbomPath := flag.String("file", "", "Path to the SBOM JSON file")
debug := flag.Bool("debug", false, "Enable debug logging")
flag.Parse()
sbomvalidator.SetDebugLogging(*debug)
// Ensure the file path is provided
if *sbomPath == "" {
log.Fatal("Usage: go run main.go -file=<path-to-sbom.json> [-debug]")
}
// Read SBOM file
jsonData, err := os.ReadFile(*sbomPath)
if err != nil {
log.Fatalf("Failed to read SBOM file: %v", err)
}
result, err := sbomvalidator.ValidateSBOMData(jsonData)
if err != nil {
log.Fatalf("Error during validation - %v", err)
}
if result.IsValid {
output, _ := json.MarshalIndent(result, "", " ")
fmt.Println(string(output))
} else {
fmt.Printf("Validation failed! Showing up to %d errors:\n", 10)
for i, errMsg := range result.ValidationErrors {
if i >= 10 {
fmt.Printf("...and %d more errors.\n", len(result.ValidationErrors)-10)
break
}
fmt.Printf("- %s\n", errMsg)
}
}
}
Running Tests
go test ./...
or you can use the included Makefile
make test
Running the example
You can build an example app and pass in an SBOM
make build
./bin/sbom-validator-example -file sample-sboms/sample-1.6.cdx.json
{
"isValid": true,
"sbomType": "CycloneDX",
"sbomVersion": "1.6",
"detectedFormat": "JSON"
}
./bin/sbom-validator-example -file sample-sboms/sample-1.6.cdx.json -debug
DEBUG: 2026/04/07 14:00:00 CycloneDX SBOM type detected
DEBUG: 2026/04/07 14:00:00 CycloneDX version is set to: 1.6
{
"isValid": true,
"sbomType": "CycloneDX",
"sbomVersion": "1.6",
"detectedFormat": "JSON"
}
License
This project is licensed under the MIT License.
Contributing
Contributions are welcome! Please open an issue or submit a pull request.
Documentation
¶
Index ¶
Constants ¶
const ( SBOM_CYCLONEDX = "CycloneDX" SBOM_SPDX = "SPDX" )
Variables ¶
This section is empty.
Functions ¶
func SetDebugLogging ¶
func SetDebugLogging(enabled bool)
SetDebugLogging enables or disables package debug logs.
Types ¶
type ValidationResult ¶
type ValidationResult struct {
IsValid bool `json:"isValid"`
SBOMType string `json:"sbomType,omitempty"`
SBOMVersion string `json:"sbomVersion,omitempty"`
ValidationErrors []string `json:"validationErrors,omitempty"`
SchemaUsed string `json:"schemaUsed,omitempty"`
DetectedFormat string `json:"detectedFormat,omitempty"`
}
ValidationResult represents the outcome of validating a Software Bill of Materials (SBOM).
It provides detailed information about the validation process, including:
- Whether the SBOM is valid (`IsValid`).
- The detected SBOM type (e.g., CycloneDX, SPDX).
- The SBOM schema or specification version.
- A list of any validation errors encountered.
- The schema file or source used during validation.
- The detected input format (e.g., JSON, XML, etc.).
This struct is returned by `ValidateSBOMData` and can be serialized to JSON for use in CLI tools, APIs, or automated pipelines.
func ValidateSBOMData ¶
func ValidateSBOMData(sbomContent []byte) (*ValidationResult, error)
ValidateSBOMData is the main function to validate SBOM data using this library.
This function serves as a wrapper around multiple internal functions, making it the recommended entry point for validating SBOMs. It performs the following steps: 1. Detects whether the SBOM is in JSON format. 2. Determines the SBOM type (CycloneDX, SPDX, etc.). 3. Extracts the schema version from the SBOM data. 4. Loads the corresponding schema for validation. 5. Validates the SBOM against the schema and returns the validation result.
Parameters:
- sbomContent: A byte slice containing the SBOM data.
Returns:
- bool: `true` if the SBOM is valid, `false` otherwise.
- []string: A list of validation error messages if the SBOM is invalid (nil if valid).
- error: An error if the function encounters issues during validation.
Errors:
- Returns an error if the SBOM format is not JSON.
- Returns an error if SBOM type detection fails.
- Returns an error if the SBOM type is not CycloneDX (currently the only supported format).
- Returns an error if extracting the SBOM version fails.
- Returns an error if loading the schema fails.
Note:
- This function abstracts multiple lower-level functions, such as `DetectSBOMType`, `ExtractVersion`, `LoadSchema`, and `ValidateSBOM`. Instead of calling those individually, use `ValidateSBOMData` for a streamlined validation process.
Example usage:
isValid, errors, err := ValidateSBOMData(sbomBytes)
if err != nil {
log.Fatalf("SBOM validation failed: %v", err)
}
if isValid {
fmt.Println("SBOM is valid!")
} else {
fmt.Println("SBOM validation errors:", errors)
}
Source Files
Directories