NAME¶

debsbom-merge - debsbom merge command

SYNOPSIS¶

debsbom merge [-h] [-o OUT] [--distro-name DISTRO_NAME]


              [--distro-supplier DISTRO_SUPPLIER]


              [--distro-version DISTRO_VERSION]


              [--base-distro-vendor {debian,ubuntu}]


              [--cdx-standard {default,standard-bom}]


              [--spdx-namespace SPDX_NAMESPACE]


              [--cdx-serialnumber CDX_SERIALNUMBER] [--timestamp TIMESTAMP]


              [--add-meta-data key=value] [--validate] [-t {cdx,spdx}]


              [--omit-roots]


              sboms [sboms ...]

DESCRIPTION¶

Merge multiple sboms

Merge multiple SBOMs into a single one.

The merge command merges multiple SBOMs hierarchically. The most common use-case is combining multiple parts of a Debian-based Linux distribution, like a rootfs and a initrd.

The merged SBOM contains the root components/packages of the input SBOMs at the first dependency level. The following structure in two SBOMs

doc1-root
|- binary-dep1
|  |- source-dep1
|- binary-dep2
doc2-root
|- binary-dep3
|  |- source-dep3
|- binary-dep4

would turn into this:

merged-doc-root
|- doc1-root
|  |- binary-dep1
|  |  |- source-dep1
|  |- binary-dep2
|- doc2-root
|  |- binary-dep3
|  |  |- source-dep3
|  |- binary-dep4

Any duplicated components are identified solely by their PURL. If it is missing from a component/package, it can not be matched and is treated as a completely unique. If a component/package can be identified as identical, their contents are merged and their SBOM reference IDs in the merged document are combined too. The ID will be replaced with the one appearing first in the passed list of SBOMs. Any duplicate entries and dependencies are also removed.

OPTIONS¶

Positional Arguments

sboms: sbom file(s) to process for 'sboms'. Use '-' to read from stdin

Named Arguments

-o='merged', --out='merged': filename for output (default: 'merged'). Use '-' to write to stdout
--distro-name='Debian': distro name (default: 'Debian')
--distro-supplier: supplier for the root component
--distro-version: version for the root component
--base-distro-vendor='debian': vendor of debian distribution (debian or ubuntu)
Possible choices: debian, ubuntu
--cdx-standard='default': generate SBOM according to this spec (only for CDX)
Possible choices: default, standard-bom
--spdx-namespace: document namespace, must be a valid URI (only for SPDX)
--cdx-serialnumber: document serial number, must be a UUID in 8-4-4-4-12 format (only for CDX)
--timestamp: document timestamp in ISO 8601 format
--add-meta-data: add arbitrary metadata properties to the SBOM
--validate=False: validate generated SBOM (only for SPDX)
-t, --sbom-type: SBOM type to process (default: auto-detect), required when reading from stdin
Possible choices: cdx, spdx
--omit-roots=False: omit root nodes when merging SBOMs, this will place all packages directly under a shared new root

DEBSBOM¶

Part of the debsbom(1) suite.

Author¶

Christoph Steiger, Felix Moessbauer

Copyright¶

2025, Siemens

March 20, 2026

Source file:	debsbom-merge.1.en.gz (from debsbom 0.7.1-1)
Source last updated:	2026-03-20T13:55:53Z
Converted to HTML:	2026-03-25T20:40:20Z