{"id":7359,"library":"lib4sbom","title":"Lib4SBOM","description":"Lib4SBOM is a Python library designed for parsing, generating, and validating Software Bills of Materials (SBOMs). It supports both SPDX and CycloneDX formats, offering a generic abstraction for SBOM data regardless of the underlying specification. Currently at version 0.10.3, the library maintains an active development pace with frequent minor releases and regular feature updates, addressing new specification versions and user-reported issues.","status":"active","version":"0.10.3","language":"en","source_language":"en","source_url":"https://github.com/anthonyharrison/lib4sbom","tags":["SBOM","SPDX","CycloneDX","security","supply chain","parsing","generation","validation"],"install":[{"cmd":"pip install lib4sbom","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Requires Python 3.9 or higher for core functionality.","package":"python","optional":false},{"reason":"Used for XML parsing, particularly for CycloneDX XML.","package":"defusedxml","optional":false},{"reason":"Used for YAML parsing and generation, especially for SPDX YAML.","package":"pyyaml","optional":false},{"reason":"Potentially used for fetching external data or schemas, often a transitive dependency.","package":"requests","optional":false},{"reason":"Used for version handling and validation.","package":"semantic-version","optional":false},{"reason":"Used for XML schema validation.","package":"xmlschema","optional":false},{"reason":"Used for JSON schema validation.","package":"jsonschema","optional":false},{"reason":"Used for faster JSON schema validation.","package":"fastjsonschema","optional":false}],"imports":[{"symbol":"SBOMParser","correct":"from lib4sbom.parser import SBOMParser"},{"symbol":"SBOMGenerator","correct":"from lib4sbom.generator import SBOMGenerator"},{"symbol":"SBOMOutput","correct":"from lib4sbom.output import SBOMOutput"},{"note":"The core SBOM object for manipulation is in `lib4sbom.sbom`, not `lib4sbom.generator` or `lib4sbom.parser`.","wrong":"from lib4sbom.generator import SBOM","symbol":"SBOM","correct":"from lib4sbom.sbom import SBOM"}],"quickstart":{"code":"import os\nfrom lib4sbom.parser import SBOMParser\n\n# Create a dummy SPDX SBOM file for demonstration\nsbom_content = \"\"\"\nSPDXVersion: SPDX-2.3\nDataLicense: CC0-1.0\nSPDXID: SPDXRef-DOCUMENT\nDocumentName: example-sbom\nDocumentNamespace: https://spdx.org/spdxdocs/spdx-example-44455566-31b3-40e1-b4f0-4660f9450c26\nCreator: Tool: lib4sbom-example\nCreated: 2026-04-16T12:00:00Z\n\nPackageName: SamplePackage\nSPDXID: SPDXRef-Package-Sample\nPackageVersion: 1.0.0\nPackageSupplier: Organization: Example Org (contact@example.org)\nPackageDownloadLocation: NOASSERTION\nPackageLicenseConcluded: MIT\nPackageLicenseDeclared: MIT\nPackageCopyrightText: NOASSERTION\n\"\"\"\n\nexample_sbom_file = \"example.spdx\"\nwith open(example_sbom_file, \"w\") as f:\n    f.write(sbom_content)\n\n# Initialize the SBOM parser\nsbom_parser = SBOMParser(sbom_type='spdx') # 'auto' can also be used, or 'cyclonedx'\n\n# Parse the SBOM file\ntry:\n    sbom_parser.parse_file(example_sbom_file)\n    print(f\"Successfully parsed SBOM type: {sbom_parser.get_type()}\")\n\n    # Retrieve packages and print their names\n    packages = sbom_parser.get_packages()\n    if packages:\n        print(\"Packages found:\")\n        for pkg in packages:\n            print(f\"  - {pkg.get_name()} ({pkg.get_version()})\")\n    else:\n        print(\"No packages found in SBOM.\")\n\nexcept FileNotFoundError:\n    print(f\"Error: SBOM file '{example_sbom_file}' not found.\")\nexcept Exception as e:\n    print(f\"An error occurred during parsing: {e}\")\nfinally:\n    # Clean up the dummy file\n    if os.path.exists(example_sbom_file):\n        os.remove(example_sbom_file)","lang":"python","description":"This quickstart demonstrates how to parse an existing SBOM file using the `SBOMParser` class. It creates a simple SPDX 2.3 TagValue file, parses it, and then extracts package information. The `sbom_type` parameter can be set to 'spdx', 'cyclonedx', or 'auto' for automatic detection."},"warnings":[{"fix":"Review the release notes for specific version changes. Explicitly set SBOM versions during generation using environment variables like `LIB4SBOM_CYCLONEDX_VERSION` or `LIB4SBOM_SPDX_VERSION` to match your target specification. For SPDX3, set `LIB4SBOM_SPDX3` environment variable.","message":"Major version updates (e.g., v0.9.0, v0.10.0) introduce support for newer SPDX and CycloneDX specifications (e.g., CycloneDX 1.7, SPDX3). While efforts are made for backward compatibility, ensure your schemas and data adhere to the expected version, especially when converting between formats.","severity":"breaking","affected_versions":">=0.9.0"},{"fix":"Explicitly set the `sbom_type` parameter when initializing `SBOMParser` (e.g., `SBOMParser(sbom_type='spdx')`) if the SBOM format is known to avoid misdetection. Ensure file extensions align with standard SBOM formats (e.g., `.spdx`, `.cdx.json`).","message":"The `SBOMParser`'s `auto` detection mode relies on file extensions and content heuristics. Providing an incorrect file type (e.g., an SPDX JSON to a CycloneDX parser) or a non-standard file extension can lead to silent failures or empty results.","severity":"gotcha","affected_versions":"All"},{"fix":"Test conversions thoroughly for critical license information. Monitor GitHub issues #88 and #89 for official fixes. Manual verification and correction of license fields may be necessary post-conversion for affected versions.","message":"When converting SBOMs, especially from SPDX 2 to SPDX 3, specific license expressions (e.g., `Apache-2.0 WITH LLVM-exception` or `Apache-1.0+`) can be lost or incorrectly handled, leading to compliance issues.","severity":"breaking","affected_versions":">=0.10.0"},{"fix":"Ensure all required dependencies are installed and up-to-date. If validation errors occur, check the specific error messages for clues about schema violations. Consider using debug output (`debug=True` in `SBOMValidator`) to get more verbose validation feedback.","message":"The library relies on various external schema validators (e.g., `jsonschema`, `xmlschema`). Issues with these dependencies or schema mismatches can cause validation failures, even if the SBOM content appears correct.","severity":"gotcha","affected_versions":"All"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Examine the traceback for more details. Check the input SBOM file for syntax errors or adherence to its declared specification. Try parsing with `sbom_type='auto'` or explicitly specifying the type to help narrow down the issue.","cause":"An error occurred during the internal processing or validation of the SBOM file content, or the file is malformed.","error":"SBOMParserException: Error parsing SBOM file"},{"fix":"Verify that the file path provided to `parse_file()` is correct and accessible. Use an absolute path or ensure the file is in the current working directory.","cause":"The specified SBOM file path does not exist or is incorrect.","error":"FileNotFoundError: [Errno 2] No such file or directory: 'your_sbom_file.json'"},{"fix":"Explicitly set `sbom_type='cyclonedx'` in the `SBOMParser` constructor. If the issue persists, consider downgrading the CycloneDX spec version if possible, or review GitHub issues for specific fixes related to CycloneDX 1.5+ parsing.","cause":"The parser might not correctly detect or fully support certain nuances of newer CycloneDX versions, leading to data extraction failures, even if the file seems syntactically valid. This was reported for CycloneDX 1.5 JSON.","error":"SBOM parser returns empty lists (e.g., for packages, files, relationships) when parsing a valid CycloneDX 1.5 JSON file."}]}