list

This command lists content of the SBOM. It can currently provide a list:

  • of the license information in the SBOM using the licenses operation,

  • of the components in the SBOM using the components operation.

The information can be displayed as a text file or in csv format.

usage: cdx-ev list [-h] [--format {txt,csv}] [--output <file>] <operation> {licenses, components} input

Positional Arguments

<operation>

Possible choices: licenses, components

The list operation that shall be performed.

input

Path to an SBOM file.

Named Arguments

--format

Possible choices: txt, csv

The output format of the data, the default is csv.

Default: 'csv'

--output, -o

The path to where the output should be written. If this is a file, output is written there. If it’s a directory, output is written to a file with an auto-generated name inside that directory. If it’s not specified, output is written to stdout.

Output Format

The txt format for license information (derived from the format of Apache NOTICE files) has the structure:

Metadata component name:
Metadata component copyright
Metadata component license 1
Metadata component license 2
...

This product includes material developed by third parties:

component 1 name:
component 1 copyright
component 1 license 1
component 1 license 1
...

component 2 name:
component 2 copyright
component 2 license 1
component 2 license 2
...

The txt format for component information has the structure:

Metadata component name
Metadata component version
Metadata component supplier name

This product includes material developed by third parties:

component 1 name
component 1 version
component 1 supplier name

...

The csv format for license information has the structure:

Name,Copyright,Licenses
"Metadata component name","Metadata component copyright","Metadata component license 1;..."
"component 1 name","component 1 copyright","component 1 license 1;component 1 license 2..."
"component 2 name","component 2 copyright",""
...

The csv format for component information has the structure:

Name,Version,Supplier
"Metadata component name","Metadata component version","Metadata component supplier name"
"component 1 name","component 1 version","component 1 supplier name"
"component 2 name","","component 2 supplier name"
...

Examples:

# List the license information from bom.json
cdx-ev list licenses bom.json

# List the components from bom.json
cdx-ev list components bom.json