Converts a CycloneDX file into a KissBOM. Implements the kissbom-spec.
Let's face it - SBOMs can be massive in size. On an episode of daBOM, Philippe Ombredanne mentioned that he had created a very minimal SBOM specification called KissBOM. KissBOMs are pretty much the bare minimum that one would need to describe software in an SBOM format.
We thought it may be cool to implement a CLI that would convert a CycloneDX file to a KissBOM. kissbom will take a CycloneDX file, remove all non-essential fields, and lets you save it to a variety of formats - including a CycloneDX formatted kissbom.
Using a sample CycloneDX SBOM for juiceshop, we found that a generated kissbom in JSON format was 1/10th of the size of the original file.
KissBOMs contain a similar collection of packages that are defined in a CycloneDX format, but only the essential fields. The fields that are maintained from the CycloneDX spec are:
| Field | Description | Required |
|---|---|---|
| PURL | The package url | YES |
| License | The defined License of the package | NO |
| Copyright | The copyright for the package | NO |
| Notes | Any notes available for the package | NO |
You can use Homebrew to install kissbom using the following:
brew tap devops-kung-fu/homebrew-tap
brew install devops-kung-fu/homebrew-tap/kissbomIf you do not have Homebrew, you can still download the latest release (ex: kissbom.1.0_darwin_all.tar.gz), extract the files from the archive, and use the kissbom binary.
If you wish, you can move the kissbom binary to your /usr/local/bin directory or anywhere on your path.
To install kissbom, download the latest release for your platform and install locally. For example, install kissbom on Ubuntu:
dpkg -i kissbom_0.4.1_linux_arm64.debkissbom is a really simple CLI with only a small number of options. To quickly convert a CycloneDX SBOM to a JSON formatted KissBOM, run the following:
kissbom convert test.cyclonedx.json //where test.cyclonedx.json is a valid CycloneDX SBOMkissbom can output a KissBOM in a variety of formats using the --format flag. Valid options are:
| Option | Description |
|---|---|
--format=json |
Outputs all 4 KissBOM fields in JSON format. This is the default output format |
--format=yaml |
Outputs all 4 KissBOM fields in YAML format |
--format=csv |
Outputs all 4 KissBOM fields into a CSV formatted file |
--format=minimal |
Outputs just the KissBOM required fields into a JSON formatted file (Purl) |
--format=compatible |
Outputs all 4 KissBOM fields in a CycloneDX formatted JSON file |
To enable verbose logging in kissbom, use the --debug flag.
A big thank-you to our friends at Good Ware for the kissbom logo.