Delta SBOM (Diff Plugin)
Filters the SBOM so include only those components that were not previously bundled are included. A component is considered to have been previously delivered if the previous SBOM includes a component with the same purl, and if all hashes that are present in both SBOMs for that component match.
If no hashes can be checked (for example, one or the other SBOM has no hashes, or one SBOM has a SHA-1 hash, and the other a SHA-256), the comparison is done on purl value alone, including all qualifiers.
A special rule applies when purls match, no hash comparisons are available, and the version number is either missing or latest. In this case, the components are considered not matching, and the new component will be included. This is to allow for the fact that there is no way to determine whether or not a non-version-controlled artifact has been updated.
Details
Transfer Tag
hoppr.core_plugins.delta_sbomSupported PURLs
ALLSystem Dependencies
NONETransfer File Example
---
schemaVersion: v1
kind: transfer
stages:
process:
plugins:
- name: hoppr.core_plugins.delta_sbom
config:
process_timeout: 60
previous: "previous_manifest.yml"
fail_on_empty: False
max_processes: 3
Configuration Options​
The previous config option can be overridden by setting the -pd/--previous-delivery command line option. This value must be specified either in the config file or on the command line.
| Option | Details |
|---|---|
| previous | String. Location of a file (either a manifest or a tar bundle) describing the previous delivery. |
| fail_on_empty | Bool. If false, Hoppr will not fail a run that results in no components. Default: True |
| process_timeout | Number of seconds to attempt collect before timeout. Default: 60 |