feat: add merge-boms command to combine multiple CycloneDX BOMs

logicflakes · logicflakes · commit e363b8e83cec · 2025-08-15T08:27:12.000+05:30
diff --git a/README.md b/README.md
@@ -400,6 +400,46 @@ Flags stand for:
 - **--infile (-f)** - input cyclonedx sbom json file. (Optional - reades from stdin when not specified)
 - **--outfile (-o)** - output file path to write bom json. (Optional - writes to stdout when not specified)
 
+### 9.3 Merge Multiple BOMs
+
+The `merge-boms` command allows you to merge multiple CycloneDX BOMs into a single consolidated BOM. This is useful when you have multiple BOMs from different components or services that need to be combined into a unified view.
+
+Sample command:
+
+```bash
+docker run --rm registry.relizahub.com/library/rearm-cli    \
+    bomutils merge-boms \
+    --input-files bom1.json,bom2.json,bom3.json \
+    --name "merged-application" \
+    --version "1.0.0" \
+    --group "com.example" \
+    --structure FLAT \
+    --outfile merged-bom.json
+```
+
+Sample command with hierarchical structure:
+
+```bash
+docker run --rm registry.relizahub.com/library/rearm-cli    \
+    bomutils merge-boms \
+    --input-files frontend-bom.json,backend-bom.json \
+    --name "full-stack-app" \
+    --version "2.1.0" \
+    --structure HIERARCHICAL \
+    --root-component-merge-mode PRESERVE_UNDER_NEW_ROOT \
+    --purl "pkg:generic/full-stack-app@2.1.0"
+```
+
+Flags stand for:
+- **--input-files** - Comma-separated list of input BOM file paths to merge (required)
+- **--name** - Name for the new root component of the merged BOM (optional)
+- **--version** - Version for the new root component of the merged BOM (optional)
+- **--group** - Group for the new root component of the merged BOM (optional)
+- **--structure** - Structure of the merged BOM: FLAT or HIERARCHICAL (default: FLAT)
+- **--root-component-merge-mode** - How to handle root components: PRESERVE_UNDER_NEW_ROOT or FLATTEN_UNDER_NEW_ROOT (default: PRESERVE_UNDER_NEW_ROOT)
+- **--purl** - Set bom-ref and purl for the root merged component (optional)
+- **--outfile** - Output file path to write merged BOM (optional - writes to stdout when not specified)
+
 ### 10. Use Case: Finalize Release After CI Completion
 
 The `releasefinalizer` command is used to run a release finalizer, which can be executed after submitting a release or after adding a new deliverable to a release. This command signals the completion of the CI process for a release in ReARM, ensuring all post-release or post-deliverable actions are triggered.
diff --git a/cmd/merge_boms.go b/cmd/merge_boms.go
@@ -0,0 +1,163 @@
+package cmd
+
+import (
+	"bytes"
+	"crypto/rand"
+	"fmt"
+	"os"
+
+	cdx "github.com/CycloneDX/cyclonedx-go"
+	"github.com/spf13/cobra"
+)
+
+var (
+	MergeStructure         string
+	MergeGroup             string
+	MergeName              string
+	MergeVersion           string
+	MergeRootComponentMode string
+	MergeInputFiles        []string
+	MergePurl              string
+	MergeOutfile           string
+)
+
+var mergeBomsCmd = &cobra.Command{
+	Use:   "merge-boms",
+	Short: "Merge multiple CycloneDX BOMs into a single BOM",
+	Run: func(cmd *cobra.Command, args []string) {
+		// 1. Read all BOM objects from input files
+		var boms []*cdx.BOM
+		for _, path := range MergeInputFiles {
+			data, err := os.ReadFile(path)
+			if err != nil {
+				fmt.Printf("Error reading file %s: %v\n", path, err)
+				os.Exit(1)
+			}
+			bom := readBomFromBytes(data)
+			boms = append(boms, bom)
+		}
+
+		// 2. Extract roots, components, dependencies
+		var roots []*cdx.Component
+		var allComponents []*cdx.Component
+		var allDependencies []*cdx.Dependency
+
+		for _, bom := range boms {
+			if bom.Metadata != nil && bom.Metadata.Component != nil {
+				roots = append(roots, bom.Metadata.Component)
+			}
+			if bom.Components != nil {
+				for _, comp := range *bom.Components {
+					allComponents = append(allComponents, &comp)
+				}
+			}
+			if bom.Dependencies != nil {
+				for _, dep := range *bom.Dependencies {
+					allDependencies = append(allDependencies, &dep)
+				}
+			}
+		}
+
+		// Prepare deduplication map for FLAT mode
+		componentMap := make(map[string]*cdx.Component) // key: bom-ref
+		for _, comp := range allComponents {
+			if comp.BOMRef != "" {
+				componentMap[comp.BOMRef] = comp
+			}
+		}
+
+		// 3. Merge logic
+		// 3.1 Metadata: create new BOM object, set root from flags
+		mergedBOM := &cdx.BOM{
+			BOMFormat:    "CycloneDX",
+			SpecVersion:  cdx.SpecVersion1_6,
+			SerialNumber: generateSerialNumber(),
+			Version:      1,
+			Metadata: &cdx.Metadata{
+				Component: &cdx.Component{
+					Type:    cdx.ComponentTypeApplication,
+					Name:    MergeName,
+					Group:   MergeGroup,
+					Version: MergeVersion,
+				},
+			},
+		}
+
+		// Set merged root component BOMRef and PackageURL
+		mergedRootRef := setMergedRootComponent(
+			mergedBOM.Metadata.Component,
+			MergeGroup, MergeName, MergeVersion, MergePurl,
+		)
+
+		// 3.2 Components: FLAT or HIERARCHICAL
+		if MergeStructure == "FLAT" {
+			flatComponents := mergeFlatComponents(componentMap)
+			mergedBOM.Components = &flatComponents
+		} else {
+			hierComponents := mergeHierarchicalComponents(roots, boms)
+			mergedBOM.Components = &hierComponents
+		}
+
+		// 3.3 Dependencies: merge according to root component merge mode
+		var mergedDependencies []cdx.Dependency
+		switch MergeRootComponentMode {
+		case "PRESERVE_UNDER_NEW_ROOT":
+			mergedDependencies = mergeDependenciesPreserve(roots, allDependencies, mergedRootRef)
+		case "FLATTEN_UNDER_NEW_ROOT":
+			mergedDependencies = mergeDependenciesFlatten(roots, allDependencies, mergedRootRef)
+		default:
+			fmt.Printf("Unknown MergeRootComponentMode: %s\n", MergeRootComponentMode)
+			os.Exit(1)
+		}
+		if len(mergedDependencies) > 0 {
+			mergedBOM.Dependencies = &mergedDependencies
+		}
+
+		// 4. Output
+		buf := new(bytes.Buffer)
+		if err := cdx.NewBOMEncoder(buf, cdx.BOMFileFormatJSON).Encode(mergedBOM); err != nil {
+			fmt.Printf("Error encoding merged BOM: %v\n", err)
+			os.Exit(1)
+		}
+		if MergeOutfile == "" || MergeOutfile == "-" {
+			_, err := os.Stdout.Write(buf.Bytes())
+			if err != nil {
+				fmt.Printf("Error writing to stdout: %v\n", err)
+				os.Exit(1)
+			}
+		} else {
+			if err := os.WriteFile(MergeOutfile, buf.Bytes(), 0644); err != nil {
+				fmt.Printf("Error writing to file %s: %v\n", MergeOutfile, err)
+				os.Exit(1)
+			}
+		}
+
+	},
+}
+
+func init() {
+	mergeBomsCmd.Flags().StringVar(&MergeStructure, "structure", "FLAT", "Structure of the merged BOM (FLAT, HIERARCHICAL)")
+	mergeBomsCmd.Flags().StringVar(&MergeGroup, "group", "", "New root component group")
+	mergeBomsCmd.Flags().StringVar(&MergeName, "name", "", "New root component name")
+	mergeBomsCmd.Flags().StringVar(&MergeVersion, "version", "", "New root component version")
+	mergeBomsCmd.Flags().StringVar(&MergeRootComponentMode, "root-component-merge-mode", "PRESERVE_UNDER_NEW_ROOT", "Root component merge mode (PRESERVE_UNDER_NEW_ROOT, FLATTEN_UNDER_NEW_ROOT)")
+	mergeBomsCmd.Flags().StringSliceVar(&MergeInputFiles, "input-files", nil, "Input file paths for BOMs to merge")
+	mergeBomsCmd.Flags().StringVar(&MergePurl, "purl", "", "Set bom-ref and purl for the root merged component")
+	mergeBomsCmd.Flags().StringVar(&MergeOutfile, "outfile", "", "Output file path to write merged BOM (default: stdout)")
+
+	bomUtils.AddCommand(mergeBomsCmd)
+}
+
+// generateSerialNumber creates a UUID-style serial number for the merged BOM
+func generateSerialNumber() string {
+	b := make([]byte, 16)
+	_, err := rand.Read(b)
+	if err != nil {
+		// Fallback to a simple timestamp-based serial number if random generation fails
+		return fmt.Sprintf("urn:uuid:merged-bom-%d", len(b))
+	}
+	// Format as UUID v4
+	b[6] = (b[6] & 0x0f) | 0x40 // Version 4
+	b[8] = (b[8] & 0x3f) | 0x80 // Variant bits
+	return fmt.Sprintf("urn:uuid:%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:16])
+}
diff --git a/cmd/merge_boms_helpers.go b/cmd/merge_boms_helpers.go
@@ -0,0 +1,107 @@
+package cmd
+
+import (
+	"fmt"
+
+	cdx "github.com/CycloneDX/cyclonedx-go"
+)
+
+// mergeFlatComponents deduplicates and returns flat components
+func mergeFlatComponents(componentMap map[string]*cdx.Component) []cdx.Component {
+	uniqueComponents := make([]cdx.Component, 0, len(componentMap))
+	for _, comp := range componentMap {
+		uniqueComponents = append(uniqueComponents, *comp)
+	}
+	return uniqueComponents
+}
+
+// mergeHierarchicalComponents creates hierarchical components with children
+func mergeHierarchicalComponents(roots []*cdx.Component, boms []*cdx.BOM) []cdx.Component {
+	hierarchicalComponents := make([]cdx.Component, 0, len(roots))
+	for i, root := range roots {
+		if root == nil {
+			continue
+		}
+		bom := boms[i]
+		var children []cdx.Component
+		if bom.Components != nil {
+			for _, comp := range *bom.Components {
+				children = append(children, comp)
+			}
+		}
+		rootCopy := *root
+		if len(children) > 0 {
+			rootCopy.Components = &children
+		}
+		hierarchicalComponents = append(hierarchicalComponents, rootCopy)
+	}
+	return hierarchicalComponents
+}
+
+// mergeDependenciesPreserve creates dependencies for PRESERVE_UNDER_NEW_ROOT mode
+func mergeDependenciesPreserve(roots []*cdx.Component, allDependencies []*cdx.Dependency, mergedRootRef string) []cdx.Dependency {
+	var rootRefs []string
+	for _, root := range roots {
+		if root != nil && root.BOMRef != "" {
+			rootRefs = append(rootRefs, root.BOMRef)
+		}
+	}
+	mergedDependencies := []cdx.Dependency{
+		{
+			Ref:          mergedRootRef,
+			Dependencies: &rootRefs,
+		},
+	}
+	for _, dep := range allDependencies {
+		if dep != nil {
+			mergedDependencies = append(mergedDependencies, *dep)
+		}
+	}
+	return mergedDependencies
+}
+
+// mergeDependenciesFlatten creates dependencies for FLATTEN_UNDER_NEW_ROOT mode
+func mergeDependenciesFlatten(roots []*cdx.Component, allDependencies []*cdx.Dependency, mergedRootRef string) []cdx.Dependency {
+	depMap := make(map[string]*cdx.Dependency)
+	for _, dep := range allDependencies {
+		if dep != nil {
+			depMap[dep.Ref] = dep
+		}
+	}
+	var flattenedDependsOn []string
+	for _, root := range roots {
+		if root != nil && depMap[root.BOMRef] != nil {
+			flattenedDependsOn = append(flattenedDependsOn, (*depMap[root.BOMRef].Dependencies)...)
+		}
+	}
+	mergedDependencies := []cdx.Dependency{
+		{
+			Ref:          mergedRootRef,
+			Dependencies: &flattenedDependsOn,
+		},
+	}
+	for _, dep := range allDependencies {
+		isRoot := false
+		for _, root := range roots {
+			if root != nil && dep.Ref == root.BOMRef {
+				isRoot = true
+				break
+			}
+		}
+		if !isRoot && dep != nil {
+			mergedDependencies = append(mergedDependencies, *dep)
+		}
+	}
+	return mergedDependencies
+}
+
+// setMergedRootComponent sets the BOMRef and PackageURL for the merged root
+func setMergedRootComponent(component *cdx.Component, group, name, version, purl string) string {
+	if purl != "" {
+		component.PackageURL = purl
+		component.BOMRef = purl
+	} else {
+		component.BOMRef = fmt.Sprintf("%s/%s@%s", group, name, version)
+	}
+	return component.BOMRef
+}
