An SBOM query language and associated utilities to work with data in any format.

bomshell is a runtime environment designed to evaluate expressions, called recipes, that operate on the SBOM graph. bomshell recipes can extract, rearrange and remix data from SBOMs in any format, making SBOM composition a reality.

bomshell is evolving rapidly but it should still be considered pre-release software. The language is still incomplete and changing constantly.

In essence, a bomshell invocation parses a set of SBOMs and executes a recipe. At runrime, the preloaded SBOMs are accesible to the running program from the bomshell environment. For more details be sure to check out the bomshell tutorial and the examples directory.

This example reads an SBOM, extracts its files and returns a new document with no packages, only those files:

bomshell -e 'sbom.files().ToDocument()' mysbom.spdx.json

This recipe the same but with nodes that are package data:

bomshell -e 'sbom.packages().ToDocument()' mysbom.spdx.json

bomshell can read any SBOM format (that protobom supports). By default, output is written as SPDX 2.3 but it can also be rendered to any format:

bomshell --document-format="application/vnd.cyclonedx+json;version=1.4" \
         --execute 'sbom.packages().ToDocument()' mysbom.spdx.json

Reading an SBOM into bomshell and writing it to another format essentially converts it into another format:

bomshell --document-format="application/vnd.cyclonedx+json;version=1.4" \
         --execute 'sbom' mysbom.spdx.json

bomshell is still very young 👶🏽 but it already offers a few functions and methods to query SBOM data. The following example extracts all go packages from an SBOM:

bomshell -e 'sbom.NodesByPurlType("golang")' mysbom.spdx.json 

Specific nodes can be looked up by ID too:

bomshell -e 'sbom.NodeByID("com.github.kubernetes-kubectl")' mysbom.spdx.json

Loaded SBOMs are accessible through the sbom[] array. Nodes in a document can be augmented or replaced. New graph sections can be remixed into a point in a document graph.

The following recipe extracts the npm packages from one SBOM and remixes them as dependencies of a binary in the other:

bomshell -e 'sbom[0].RelateNodeListAtID(sbom[1].NodesByPurlType("npm"), "my-binary", "DEPENDS_ON)' \
         --sbom=sbom1.spdx.json \
         --sbom=sbom2.cdx.json 

Note in the previous example that each SBOM is in a different format. Remixing from different makes bomshell a powerful tool to work with any SBOM, tools can specialize in what they do best and bomshell can compose documents assembled from multiple sources of data.

bomshell recipes are written in CEL (Common Expression Language) making the runtime small and embeddable in other applications.

The backing library of Bomshell is protobom the universal Software Bill of Materials I/O library . The bomshell runtime reads SBOMs and exposes the protobom data graph to the CEL environment, emulating some methods and adding some of its own.

Just as its core components, bomshell is open source, released under the Apache 2.0 license.