Skip to main content
Version: 1.13.x

Delta SBOM (Diff Plugin)

Filters the SBOM so include only those components that were not previously bundled are included. A component is considered to have been previously delivered if the previous SBOM includes a component with the same purl, and if all hashes that are present in both SBOMs for that component match.

If no hashes can be checked (for example, one or the other SBOM has no hashes, or one SBOM has a SHA-1 hash, and the other a SHA-256), the comparison is done on purl value alone, including all qualifiers.

note

A special rule applies when purls match, no hash comparisons are available, and the version number is either missing or latest. In this case, the components are considered not matching, and the new component will be included. This is to allow for the fact that there is no way to determine whether or not a non-version-controlled artifact has been updated.

Details

Transfer Tag

hoppr.core_plugins.delta_sbom

Supported PURLs

ALL

System Dependencies

NONE

Transfer File Example

---
schemaVersion: v1
kind: transfer

stages:
process:
plugins:
- name: hoppr.core_plugins.delta_sbom
config:
process_timeout: 60
previous: "previous_manifest.yml"
fail_on_empty: False

max_processes: 3

Configuration Options​

tip

The previous config option can be overridden by setting the -pd/--previous-delivery command line option. This value must be specified either in the config file or on the command line.

OptionDetails
previousString. Location of a file (either a manifest or a tar bundle) describing the previous delivery.
fail_on_emptyBool. If false, Hoppr will not fail a run that results in no components. Default: True
process_timeoutNumber of seconds to attempt collect before timeout. Default: 60