sbominator / transformatron
A PHP library to transforms SBOMs between SPDX and CycloneDX formats
Requires
- php: ^8.0
- ext-json: *
Requires (Dev)
- phpunit/phpunit: ^9.0
This package is auto-updated.
Last update: 2025-03-17 22:23:17 UTC
README
A PHP library for transforming Software Bill of Materials (SBOM) between SPDX and CycloneDX formats.
Installation
Install via Composer:
composer require sbominator/transformatron
Requirements
- PHP 8.0 or higher
- ext-json extension
Basic Usage
The library provides simple methods for converting between SPDX and CycloneDX formats:
<?php use SBOMinator\Transformatron\Converter; use SBOMinator\Transformatron\Exception\ConversionException; use SBOMinator\Transformatron\Exception\ValidationException; // Create a converter instance $converter = new Converter(); // Convert SPDX to CycloneDX try { $spdxJson = file_get_contents('path/to/spdx-sbom.json'); $result = $converter->convertSpdxToCyclonedx($spdxJson); // Get the converted content $cyclonedxJson = $result->getContent(); // Write to file file_put_contents('path/to/output-cyclonedx.json', $cyclonedxJson); // Check for any warnings if ($result->hasWarnings()) { echo "Conversion completed with warnings:\n"; foreach ($result->getWarnings() as $warning) { echo "- {$warning}\n"; } } } catch (ValidationException $e) { echo "Validation error: " . $e->getMessage() . "\n"; print_r($e->getValidationErrors()); } catch (ConversionException $e) { echo "Conversion error: " . $e->getMessage() . "\n"; echo "Source format: " . $e->getSourceFormat() . "\n"; echo "Target format: " . $e->getTargetFormat() . "\n"; } // Convert CycloneDX to SPDX try { $cyclonedxJson = file_get_contents('path/to/cyclonedx-sbom.json'); $result = $converter->convertCyclonedxToSpdx($cyclonedxJson); // Get the converted content $spdxJson = $result->getContent(); // Write to file file_put_contents('path/to/output-spdx.json', $spdxJson); } catch (ValidationException | ConversionException $e) { echo "Error: " . $e->getMessage() . "\n"; }
CLI Usage
Transformatron can be used directly on the CLI:
$ bin/transformatron path/to/spdx.json { "bomFormat": "CycloneDX", "specVersion": "1.4", ...
The CLI tool supports the ability to automatically detect source and target versions, but they can also be specified manually:
Usage: transformatron <path-to-sbom-file> [--format=spdx|cyclonedx] [--target=spdx|cyclonedx]
Options:
--format=spdx|cyclonedx Specify the format of the input SBOM file
--target=spdx|cyclonedx Specify the format of the output SBOM file
--help Display this help message
--version Display the version of this tool
Advanced Usage
Auto-detecting Format
The library can automatically detect the source format and convert to the specified target format:
$json = file_get_contents('path/to/unknown-format-sbom.json'); // Detect the format $sourceFormat = $converter->detectFormat($json); if ($sourceFormat) { echo "Detected format: " . $sourceFormat . "\n"; } // Convert to target format using auto-detection try { $targetFormat = Converter::FORMAT_CYCLONEDX; // or Converter::FORMAT_SPDX $result = $converter->convert($json, $targetFormat); echo "Successfully converted to " . $result->getFormat() . "\n"; } catch (ValidationException | ConversionException $e) { echo "Error: " . $e->getMessage() . "\n"; }
Accessing Conversion Details
The ConversionResult
object provides detailed information about the conversion:
$result = $converter->convertSpdxToCyclonedx($spdxJson); // Check if conversion was successful if ($result->isSuccessful()) { echo "Conversion successful\n"; } else { echo "Conversion completed with errors\n"; } // Get all warnings foreach ($result->getWarnings() as $warning) { echo "Warning: {$warning}\n"; } // Get all errors (including non-critical ones) foreach ($result->getErrors() as $error) { echo "Error ({$error->getSeverity()}): {$error->getMessage()}\n"; } // Get a summary of the conversion $summary = $result->getSummary(); print_r($summary); // Access the converted content as an array $contentArray = $result->getContentAsArray();
Specialized Converters
If you need more control, you can work with the specialized converters directly:
use SBOMinator\Transformatron\Factory\ConverterFactory; // Create a converter factory $factory = new ConverterFactory(); // Get a specific converter $spdxToCycloneDxConverter = $factory->createConverter( Converter::FORMAT_SPDX, Converter::FORMAT_CYCLONEDX ); // Or by conversion path $cycloneDxToSpdxConverter = $factory->createConverterForPath('cyclonedx-to-spdx'); // Use the converter directly $result = $spdxToCycloneDxConverter->convert($spdxJson);
Using the Converter
The Converter
class is designed to be simple to use with sensible defaults:
// Create a converter instance $converter = new Converter(); // Use the converter methods $result = $converter->convert($json, Converter::FORMAT_SPDX);
Features
- Convert between SPDX 2.3 and CycloneDX 1.4 JSON formats
- Auto-detection of source formats
- Comprehensive field mapping:
- Document metadata and creation information
- Packages/Components with detailed properties
- Dependencies and relationships
- License information with support for expressions
- Hash/checksum data with multiple algorithms
- Detailed validation with warnings and errors
- Exception handling for validation and conversion errors
Supported Field Mappings
SPDX to CycloneDX
spdxVersion
→specVersion
dataLicense
→license
name
→name
SPDXID
→serialNumber
documentNamespace
→documentNamespace
creationInfo
→metadata
packages
→components
relationships
→dependencies
CycloneDX to SPDX
bomFormat
→ (no direct mapping)specVersion
→spdxVersion
version
→ (no direct mapping)serialNumber
→SPDXID
name
→name
metadata
→creationInfo
components
→packages
dependencies
→relationships
Running Tests
To run the test suite:
composer install
composer test
Error Handling
The library provides two main exception types:
ValidationException
: Thrown when the input JSON is invalid or required fields are missingConversionException
: Thrown when the conversion process fails due to errors
Additionally, the ConversionResult
class collects warnings and non-critical errors during the conversion process.
License
MIT License
Contributing
please see CONTRIBUTING.md for more information.