Introducing renovate-to-sbom to convert Renovate data to Software Bill of Materials (SBOMs)

Featured image for sharing metadata for article

Over the last few months building dependency-management-data, I've been playing around with the great data from Renovate via renovate-graph, as well as Software Bill of Materials (SBOMs).

One thing early on in the dependency-management-data project was considering generating Software Bill of Materials (SBOMs) from Renovate's data, so it could be consumed by other tools.

Although I've since added support for consuming SBOMs in dependency-management-data, I find it interesting to be able to take existing data forms and convert them to a more standardised form. I'm not actually sure if it will be super useful to anyone, but it was fun to build, and has been interesting writing SBOMs as well as just consuming them.

As part of the v0.52.0 release of dependency-management-data, we can install the renovate-to-sbom command:

go install

Then we can use the CLI to take exports from renovate-graph:

renovate-to-sbom 'renovate/*.json' --out-format spdx2.3+json

Or we can take debug logs from Renovate:

renovate-to-sbom 'debug.log' --out-format cyclonedx1.5+json

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#dependency-management-data #renovate #sbom.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.