Delta SBOM (Diff Plugin)
Filters the SBOM so include only those components that were not previously bundled are included. A component is considered to have been previously delivered if the previous SBOM includes a component with the same purl, and if all hashes that are present in both SBOMs for that component match.
If no hashes can be checked (for example, one or the other SBOM has no hashes, or one SBOM has a SHA-1 hash, and the other a SHA-256), the comparison is done on purl value alone, including all qualifiers.
A special rule applies when purls match, no hash comparisons are available, and the version number is either missing or latest
. In this case, the components are considered not matching, and the new component will be included. This is to allow for the fact that there is no way to determine whether or not a non-version-controlled artifact has been updated.
Details
Transfer Tag
hoppr.core_plugins.delta_sbom
Supported PURLs
ALL
System Dependencies
NONE
Transfer File Example
---
schemaVersion: v1
kind: transfer
stages:
process:
plugins:
- name: hoppr.core_plugins.delta_sbom
config:
process_timeout: 60
max_processes: 3
Configuration Options​
The previous
config option can be overridden by setting the -pd
/--previous-delivery
command line option. This value must be specified either in the config file or on the command line.
Option | Details |
---|---|
previous | String. Location of a file (either a manifest or a tar bundle) describing the previous delivery. |
process_timeout | Number of seconds to attempt collect before timeout. Default: 60 |