Man page - debsbom-delta(1)

Packages contas this manual

Package: debsbom
apt-get install debsbom

Manuals in package:

Documentations in package:

debsbom

Manual

DEBSBOM-DELTA(1)

debsbom

DEBSBOM-DELTA(1)

NAME

debsbom-delta - debsbom delta command

SYNOPSIS

debsbom delta [-h] [-o OUT] [--distro-name DISTRO_NAME]


              [--distro-supplier DISTRO_SUPPLIER]


              [--distro-version DISTRO_VERSION]


              [--base-distro-vendor {debian,ubuntu}]


              [--cdx-standard {default,standard-bom}]


              [--spdx-namespace SPDX_NAMESPACE]


              [--cdx-serialnumber CDX_SERIALNUMBER] [--timestamp TIMESTAMP]


              [--add-meta-data key=value] [--validate] [-t {cdx,spdx}]


              base_sbom target_sbom

DESCRIPTION

List components changed in target sbom

Compute the delta between base and target SBOMs, producing a new SBOM containing only additional components from the target.

The delta command compares two SBOMs and produces a new SBOM containing only the components that are present in the target SBOM but not in the base (reference) SBOM.

The most common use-case is identifying new or added components between two builds, images, or distribution states (for example, comparing a previous release SBOM against a newer one), including filtering out already license-cleared components to generate an SBOM containing only components pending license clearance.

The comparison is directional:

Base SBOM – treated as the reference
Target SBOM – treated as the new or updated SBOM

Given the following structure:

Base SBOM

base-root
|- binary-dep1
|  |- source-dep1
|- binary-dep2

Target SBOM

target-root
|- binary-dep1
|  |- source-dep1
|- binary-dep2
|- binary-dep3
|  |- source-dep3

Running delta would produce:

delta-doc-root
|- binary-dep3
|  |- source-dep3

Components are considered the same if they share the same PURL (Package URL). Only components that are new in the target SBOM, along with their nested dependencies, are included in the resulting SBOM.

OPTIONS

Positional Arguments

base_sbom: sbom file(s) to process for 'base_sbom'. Use '-' to read from stdin
target_sbom: sbom file(s) to process for 'target_sbom'. Use '-' to read from stdin

Named Arguments

-o='extras', --out='extras': filename for output (default: 'extras'). Use '-' to write to stdout
--distro-name='Debian': distro name (default: 'Debian')
--distro-supplier: supplier for the root component
--distro-version: version for the root component
--base-distro-vendor='debian': vendor of debian distribution (debian or ubuntu)
Possible choices: debian, ubuntu
--cdx-standard='default': generate SBOM according to this spec (only for CDX)
Possible choices: default, standard-bom
--spdx-namespace: document namespace, must be a valid URI (only for SPDX)
--cdx-serialnumber: document serial number, must be a UUID in 8-4-4-4-12 format (only for CDX)
--timestamp: document timestamp in ISO 8601 format
--add-meta-data: add arbitrary metadata properties to the SBOM
--validate=False: validate generated SBOM (only for SPDX)
-t, --sbom-type: SBOM type to process (default: auto-detect), required when reading from stdin
Possible choices: cdx, spdx

DEBSBOM

Part of the debsbom(1) suite.

AUTHOR

Christoph Steiger, Felix Moessbauer

COPYRIGHT

2025, Siemens

March 24, 2026