feat: add merge sboms feature

sbomtool merge feature allows multiple sboms of the same type to be
merged into a single sbom. This change allows us to merge the sboms of
multiple individual packages into a large sbom for an image.

Signed-off-by: Richard Kelly <[email protected]>

Author: rpkelly

sbomtool/README.md

@@ -12,7 +12,8 @@ A Software Bill of Materials (SBOM) generation tool for the Bottlerocket SDK.
 - Generate SBOM files in multiple formats:
   - SPDX 2.3 (JSON)
   - CycloneDX 1.6 (JSON)
-- Future support for merging multiple SBOM files
+- Merge multiple SBOM files with intelligent deduplication
+- Filter SBOM files based on buildroot contents
 
 ## Installation
 
@@ -46,18 +47,25 @@ Options:
 - `--spdx`: Generate an SPDX SBOM
 - `--cyclonedx`: Generate a CycloneDX SBOM
 
-#### Merge (Future Feature)
+#### Merge
 
-Merge multiple SBOM files:
+Merge multiple SBOM files into a single comprehensive SBOM:
 
 ```
 sbomtool merge [options] file1 file2 [file3...]
 ```
 
 Options:
-- `--level int`: Merge level (default 0)
+- `--output string`: Output file path for merged SBOM (required)
+- `--level int`: Merge level (reserved for future use) (default 0)
 
-Note: This feature is not yet implemented.
+The merge command combines multiple SBOM files while:
+- Deduplicating packages using CPE-based matching
+- Preserving all dependency relationships
+- Maintaining SBOM format integrity
+- Providing comprehensive merge statistics
+
+All input files must be in the same format (SPDX or CycloneDX).
 
 ### Examples
 
@@ -76,12 +84,38 @@ Generate both SPDX and CycloneDX SBOMs:
 sbomtool generate --name mypackage --build-dir ./build --out-dir ./sbom --spdx --cyclonedx
 ```
 
+Merge multiple SPDX SBOMs:
+```
+sbomtool merge --output merged.json app1-spdx.json app2-spdx.json lib1-spdx.json
+```
+
+Merge with debug logging:
+```
+sbomtool --log-level debug merge --output final.json app1.json app2.json app3.json
+```
+
 ## Output
 
 The tool generates SBOM files in the specified output directory:
 - `{name}-spdx.json`: SPDX format SBOM
 - `{name}-cyclonedx.json`: CycloneDX format SBOM
 
+## Deduplication Behavior
+
+The merge command uses deduplication to combine packages from multiple SBOMs:
+
+### CPE-Based Deduplication
+- **Primary Strategy**: Uses CPE as the canonical identifier
+- **Fallback Strategy**: Uses name + version + type for packages without CPE
+- **Metadata Merging**: Combines licenses, files, and other metadata from duplicate packages
+- **Relationship Preservation**: Updates all dependency relationships to reference canonical packages
+
+### Deduplication Process
+1. **Package Identity**: Generates canonical keys using CPE or fallback strategy
+2. **Conflict Resolution**: First occurrence with CPE becomes canonical
+3. **Metadata Consolidation**: Merges all metadata from duplicate packages
+4. **Relationship Updates**: Updates all relationships to use canonical package IDs
+
 ## Implementation Details
 
 `sbomtool` uses the [Anchore Syft](https://github.com/anchore/syft) library for SBOM generation, which provides comprehensive package detection across various ecosystems.

sbomtool/cmd/sbomtool/main.go

@@ -97,7 +97,7 @@ and includes CPE-based package deduplication for both merge and filter operation
 	return rootCmd
 }
 
-// createGenerateCommand creates and configures the generate subcommand.
+// createGenerateCommand creates the generate subcommand for SBOM file creation.
 func createGenerateCommand() *cobra.Command {
 	generateCmd := &cobra.Command{
 		Use:   "generate",
@@ -447,32 +447,71 @@ func createMergeCommand() *cobra.Command {
 		Short: "Merge multiple SBOM files",
 		Long: `Merge multiple SBOM files into a single SBOM.
 
-This feature is not yet implemented and will return an error.
-Future versions will support merging SBOM files with configurable merge levels.`,
+DESCRIPTION:
+The merge command combines multiple SBOM files while:
+- Deduplicating packages that appear in multiple inputs
+- Preserving all dependency relationships
+- Maintaining SBOM format integrity
+- Providing comprehensive merge statistics
+
+DEDUPLICATION:
+Packages are deduplicated based on CPE when available, with fallback to name+version+type.
+When duplicates are found:
+- First occurrence becomes the canonical package
+- File lists and metadata are merged from all duplicates
+- All relationships are updated to reference canonical packages
+
+SUPPORTED FORMATS:
+- SPDX 2.3 (JSON)
+- CycloneDX 1.6 (JSON)
+All input files must be the same format.`,
+
+		Example: `  # Merge multiple SPDX SBOMs
+  sbomtool merge --output merged.json app1-spdx.json app2-spdx.json lib1-spdx.json
+
+  # Merge with debug logging
+  sbomtool --log-level debug merge --output final.json app1.json app2.json app3.json`,
+
 		Args: cobra.MinimumNArgs(2),
 		RunE: runMerge,
 	}
 
-	mergeCmd.Flags().Int("level", 0, "Merge level")
+	mergeCmd.Flags().String("output", "", "Output file path for merged SBOM (required)")
+	mergeCmd.Flags().Int("level", 0, "Merge level (reserved for future use)")
+	if err := mergeCmd.MarkFlagRequired("output"); err != nil {
+		slog.Error("Failed to mark output flag as required", "error", err)
+		os.Exit(1)
+	}
 
 	return mergeCmd
 }
 
 // runMerge executes the SBOM merge process.
-//
-// Currently returns ErrNotImplemented as the merge functionality is planned for future implementation.
 func runMerge(cmd *cobra.Command, args []string) error {
+	outputPath, _ := cmd.Flags().GetString("output")
 	level, _ := cmd.Flags().GetInt("level")
 
-	slog.Debug("Starting sbomtool merge",
-		"level", level,
-		"file_count", len(args))
+	config := merge.MergeConfig{
+		OutputPath: outputPath,
+		Level:      level,
+	}
 
-	_, err := merge.Merge(level, args)
+	slog.Info("Starting SBOM merge process",
+		"input_files", len(args),
+		"output_path", outputPath)
+
+	result, err := merge.Merge(config, args)
 	if err != nil {
-		return fmt.Errorf("SBOM merge failed: %w", err)
+		return fmt.Errorf("sbom merge failed: %w", err)
 	}
 
+	slog.Info("SBOM merge completed successfully",
+		"input_sboms", result.Statistics.InputSBOMs,
+		"input_packages", result.Statistics.TotalInputPackages,
+		"output_packages", result.Statistics.OutputPackages,
+		"deduplicated", result.Statistics.DeduplicatedPackages,
+		"processing_time", result.Statistics.ProcessingTime)
+
 	return nil
 }
 

sbomtool/cmd/sbomtool/merge_integration_test.go

@@ -0,0 +1,214 @@
+package main
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/bottlerocket-os/bottlerocket-sdk/sbomtool/go/internal/commands/merge"
+)
+
+func TestMergeIntegration(t *testing.T) {
+	// GIVEN: Two SPDX SBOM files with overlapping packages
+	// WHEN: Merge command is executed
+	// THEN: Merged SBOM should be created with proper deduplication
+
+	tempDir := t.TempDir()
+
+	// Create test SPDX SBOMs
+	sbom1 := createTestSPDXSBOM("app1", []TestPackage{
+		{Name: "pkg1", Version: "1.0.0"},
+		{Name: "pkg2", Version: "2.0.0"},
+	})
+	sbom2 := createTestSPDXSBOM("app2", []TestPackage{
+		{Name: "pkg1", Version: "1.0.0"}, // Duplicate
+		{Name: "pkg3", Version: "3.0.0"},
+	})
+
+	// Write test files
+	file1 := filepath.Join(tempDir, "sbom1.json")
+	file2 := filepath.Join(tempDir, "sbom2.json")
+	outputFile := filepath.Join(tempDir, "merged.json")
+
+	require.NoError(t, writeJSONFile(file1, sbom1))
+	require.NoError(t, writeJSONFile(file2, sbom2))
+
+	// Execute merge command
+	rootCmd := createRootCommand()
+	rootCmd.SetArgs([]string{
+		"merge",
+		"--output", outputFile,
+		file1, file2,
+	})
+
+	err := rootCmd.Execute()
+	require.NoError(t, err, "Merge command should execute successfully")
+
+	// Verify output file exists
+	assert.FileExists(t, outputFile, "Merged SBOM file should be created")
+
+	// Test the in-memory SBOM directly (like deduplication tests)
+	// Re-run the merge logic to get the in-memory result
+	config := merge.MergeConfig{
+		OutputPath: outputFile,
+		Level:      0,
+	}
+	result, err := merge.Merge(config, []string{file1, file2})
+	require.NoError(t, err, "Direct merge should work")
+
+	// Test the in-memory SBOM packages
+	packages := make([]pkg.Package, 0)
+	for p := range result.MergedSBOM.Artifacts.Packages.Enumerate() {
+		packages = append(packages, p)
+	}
+
+	// Basic structure validation on in-memory SBOM
+	assert.Greater(t, len(packages), 0, "Should have packages after merge")
+	assert.Equal(t, 3, len(packages), "Should have exactly 3 packages after deduplication (pkg1, pkg2, pkg3)")
+
+	// Verify specific packages exist
+	packageNames := make([]string, len(packages))
+	for i, p := range packages {
+		packageNames[i] = p.Name
+	}
+	assert.Contains(t, packageNames, "pkg1")
+	assert.Contains(t, packageNames, "pkg2")
+	assert.Contains(t, packageNames, "pkg3")
+}
+
+func TestMergeIntegrationCycloneDX(t *testing.T) {
+	// GIVEN: Two CycloneDX SBOM files with overlapping packages
+	// WHEN: Merge command is executed
+	// THEN: Merged SBOM should be created with proper deduplication
+
+	tempDir := t.TempDir()
+
+	// Create test CycloneDX SBOMs
+	sbom1 := createTestCycloneDXSBOM("app1", []TestPackage{
+		{Name: "pkg1", Version: "1.0.0"},
+		{Name: "pkg2", Version: "2.0.0"},
+	})
+	sbom2 := createTestCycloneDXSBOM("app2", []TestPackage{
+		{Name: "pkg1", Version: "1.0.0"}, // Duplicate
+		{Name: "pkg3", Version: "3.0.0"},
+	})
+
+	// Write test files
+	file1 := filepath.Join(tempDir, "sbom1.json")
+	file2 := filepath.Join(tempDir, "sbom2.json")
+	outputFile := filepath.Join(tempDir, "merged.json")
+
+	require.NoError(t, writeJSONFile(file1, sbom1))
+	require.NoError(t, writeJSONFile(file2, sbom2))
+
+	// Execute merge command
+	rootCmd := createRootCommand()
+	rootCmd.SetArgs([]string{
+		"merge",
+		"--output", outputFile,
+		file1, file2,
+	})
+
+	err := rootCmd.Execute()
+	require.NoError(t, err, "Merge command should execute successfully")
+
+	// Verify output file exists
+	assert.FileExists(t, outputFile, "Merged SBOM file should be created")
+
+	// Test the in-memory SBOM directly (like deduplication tests)
+	// Re-run the merge logic to get the in-memory result
+	config := merge.MergeConfig{
+		OutputPath: outputFile,
+		Level:      0,
+	}
+	result, err := merge.Merge(config, []string{file1, file2})
+	require.NoError(t, err, "Direct merge should work")
+
+	// Test the in-memory SBOM packages
+	packages := make([]pkg.Package, 0)
+	for p := range result.MergedSBOM.Artifacts.Packages.Enumerate() {
+		packages = append(packages, p)
+	}
+
+	// Basic structure validation on in-memory SBOM
+	assert.Greater(t, len(packages), 0, "Should have packages after merge")
+	// CycloneDX includes metadata components (app1, app2) plus deduplicated libraries (pkg1, pkg2, pkg3)
+	assert.Equal(t, 5, len(packages), "Should have 5 packages: 2 app components + 3 deduplicated libraries")
+
+	// Verify specific library packages exist (the actual dependencies)
+	packageNames := make([]string, len(packages))
+	for i, p := range packages {
+		packageNames[i] = p.Name
+	}
+	assert.Contains(t, packageNames, "pkg1")
+	assert.Contains(t, packageNames, "pkg2")
+	assert.Contains(t, packageNames, "pkg3")
+	assert.Contains(t, packageNames, "app1") // Metadata component
+	assert.Contains(t, packageNames, "app2") // Metadata component
+}
+
+// TestPackage represents a simple package for testing
+type TestPackage struct {
+	Name    string
+	Version string
+}
+
+// createTestSPDXSBOM creates a minimal SPDX SBOM for testing
+func createTestSPDXSBOM(name string, packages []TestPackage) map[string]interface{} {
+	spdxPackages := make([]map[string]interface{}, len(packages))
+	for i, pkg := range packages {
+		spdxPackages[i] = map[string]interface{}{
+			"SPDXID":      "SPDXRef-Package-" + pkg.Name,
+			"name":        pkg.Name,
+			"versionInfo": pkg.Version,
+		}
+	}
+
+	return map[string]interface{}{
+		"spdxVersion":       "SPDX-2.3",
+		"dataLicense":       "CC0-1.0",
+		"SPDXID":            "SPDXRef-DOCUMENT",
+		"name":              name,
+		"documentNamespace": "https://example.com/" + name,
+		"packages":          spdxPackages,
+	}
+}
+
+// createTestCycloneDXSBOM creates a minimal CycloneDX SBOM for testing
+func createTestCycloneDXSBOM(name string, packages []TestPackage) map[string]interface{} {
+	components := make([]map[string]interface{}, len(packages))
+	for i, pkg := range packages {
+		components[i] = map[string]interface{}{
+			"type":    "library",
+			"name":    pkg.Name,
+			"version": pkg.Version,
+		}
+	}
+
+	return map[string]interface{}{
+		"bomFormat":   "CycloneDX",
+		"specVersion": "1.6",
+		"version":     1,
+		"metadata": map[string]interface{}{
+			"component": map[string]interface{}{
+				"type": "application",
+				"name": name,
+			},
+		},
+		"components": components,
+	}
+}
+
+// writeJSONFile writes data as JSON to a file
+func writeJSONFile(path string, data interface{}) error {
+	jsonData, err := json.MarshalIndent(data, "", "  ")
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(path, jsonData, 0644)
+}