← Back to ProjectsView Architecture

SBOM Merger#

Project Overview##

The application downloads SBOM files from JFrog Artifactory repositories, applies configurable exclusion filters, and combines them into unified SBOM documents. It generates both "compile" and "deploy" variants, where the deploy version excludes development and testing dependencies.

Core Classes and Functionality##

SbomCombiner (Main Class)###

  • Primary Function: Entry point that orchestrates the entire SBOM combination process
  • Input Sources:
    • Release definition JSON file containing project configurations
    • Optional input directory with additional SBOM JSON files
    • JFrog Artifactory credentials via system properties
  • Processing Flow:
    1. Reads project configurations from input file
    2. Downloads SBOMs from JFrog paths (either direct SBOM files or extracts from JAR files)
    3. Applies exclusion processing to create compile/deploy variants
    4. Combines all SBOMs using selected merge strategy
    5. Saves final combined SBOMs to structured directory paths
  • Merge Strategies: Supports both hierarchical ("H") and flat ("F") merging approaches
  • Authentication: Uses HTTP Basic authentication with configurable credentials
  • Retry Logic: Implements retry mechanism (up to 3 attempts) for network failures
  • Output Structure: Creates organized directory structure under com/infosys/equinox/sbom/[version]/

SbomExclusionProcessor###

  • Primary Function: Filters out specified components and dependencies from SBOMs
  • Default Exclusions:
    • Group IDs: com.h2database, de.flapdoodle.embed, it.ozimov, au.com.dius, org.projectlombok, org.codehaus.groovy, org.liquibase, org.awaitility, mysql, com.mysql
    • Artifacts: h2, embedded-redis, spring-boot-starter-test, lombok, groovy-all, mysql-connector-java, and others
  • Customization: Accepts custom exclusion sets via constructor parameters
  • Processing Logic:
    • Filters components based on group ID and artifact name matching
    • Processes dependencies recursively, removing excluded references
    • Preserves metadata and other BOM properties

Configuration###

  • Pattern: Uses Builder pattern for object construction
  • Properties: inputFile, inputDir, username, password, mergeStrategy, group, name, version, isHierarchical, excludedGroupIds, excludedArtifacts
  • Validation: Main class validates mandatory properties (inputFile, username, password, version)
  • Defaults: Default group is "com.infosys.equinox", default name is "sbom"

CombinerUtil###

  • Merge Types:
    • Flat Merge: Combines all components and dependencies into a single flat structure
    • Hierarchical Merge: Creates nested structure with main component containing sub-components
  • Deduplication: Uses ComponentKey for component deduplication and dependency reference uniqueness
  • Data Preservation: Merges components, dependencies, external references, and services while avoiding duplicates

ComponentKey###

  • Purpose: Creates unique identifiers for components to enable deduplication
  • Key Fields: type, bomRef, publisher, group, name, version
  • Implementation: Standard equals() and hashCode() methods for Set/Map usage

ProjectTracker###

  • Function: Tracks processing status of projects
  • State Management: Maintains sets of all projects, processed projects, and unprocessed projects
  • Reporting: Provides summary statistics for logging purposes

Technical Dependencies##

  • CycloneDX: Uses org.cyclonedx library for SBOM parsing and generation (Version 1.5)
  • Jackson: For JSON processing and configuration file parsing
  • Java Standard Library: Streams, Collections, HTTP connections, ZIP processing

Data Flow##

  1. System properties configure input file, credentials, and processing options
  2. Release definition file is parsed to extract project configurations
  3. For each project, SBOM is downloaded from JFrog Artifactory (either direct SBOM or extracted from JAR)
  4. Each SBOM is processed through exclusion filter to create compile/deploy variants
  5. All SBOMs are combined using specified merge strategy
  6. Final combined SBOMs are saved with structured naming and directory organization
  7. Processing statistics and project summaries are logged

File Naming Convention##

  • Individual project SBOMs: {projectName}_sbom_{type}_{version}.json
  • Combined SBOMs: equinox_sbom_{type}_{version}.json
  • Types: "compile" (all components) and "deploy" (filtered components)

Configuration Sources##

  • System Properties: All runtime configuration via Java system properties
  • Release Definition File: JSON structure mapping project names to JFrog paths and configurations
  • Input Directory: Optional additional SBOM files for inclusion

The application is designed for enterprise software supply chain management, specifically for combining dependency information from multiple microservices or components into consolidated Software Bill of Materials documents.

Architecture Diagram

Drag to pan, scroll to zoom