Add SBOM export functionality

- Introduced `git pkgs sbom` command to export dependencies as a Software Bill of Materials (SBOM).
- Supported output formats: CycloneDX (default) and SPDX, with options for JSON and XML.
- Enhanced dependency enrichment to include package URLs, versions, licenses, and integrity hashes.
- Updated documentation to reflect new SBOM command and its options.
- Modified package and version models to store supplier information and enrich from external API.
- Improved license enrichment logic to prioritize version-level licenses over package-level.
- Added tests for SBOM command, including various output formats and enrichment scenarios.
- Updated database schema to accommodate new supplier fields.

Author: andrew

CHANGELOG.md

@@ -1,9 +1,17 @@
 ## [Unreleased]
 
+## [0.9.0] - 2026-01-14
+
+- `git pkgs sbom` command to export dependencies as SPDX or CycloneDX
 - `git pkgs integrity` command to show and verify lockfile integrity hashes
+- Parse go.sum for Go module integrity hashes (no longer ignored)
+- Convert Go h1: hashes (base64) to hex for SBOM compatibility
 - `--drift` flag to detect packages with different hashes for the same version
 - Registry integrity comparison via ecosyste.ms API
-- Store integrity hashes from lockfiles in dependency_snapshots table (schema v4, run `git pkgs upgrade`)
+- Store integrity hashes from lockfiles in dependency_snapshots table
+- SBOM export includes supplier info from ecosyste.ms (owner/maintainer)
+- License commands use version-level license data when available
+- Store supplier_name and supplier_type on packages (schema v5, run `git pkgs upgrade`)
 - Update ecosystems-bibliothecary to ~> 15.3 (integrity extraction from lockfiles)
 - Update purl to >= 1.7.1 (ecosyste.ms API URL support)
 

Gemfile.lock

@@ -7,11 +7,13 @@ GIT
 PATH
   remote: .
   specs:
-    git-pkgs (0.8.0)
+    git-pkgs (0.9.0)
+      base64
       ecosystems-bibliothecary (~> 15.3)
       purl (~> 1.7, >= 1.7.1)
       rugged (~> 1.0)
       sarif-ruby
+      sbom (~> 0.4)
       sequel (>= 5.0)
       sqlite3 (>= 2.0)
       vers (~> 1.0)
@@ -21,6 +23,7 @@ GEM
   specs:
     addressable (2.8.8)
       public_suffix (>= 2.0.2, < 8.0)
+    base64 (0.3.0)
     benchmark (0.5.0)
     bigdecimal (4.0.1)
     crack (1.0.1)
@@ -76,6 +79,10 @@ GEM
       io-console (~> 0.5)
     rexml (3.4.4)
     rugged (1.9.0)
+    sbom (0.4.1)
+      json_schemer (~> 2.0)
+      purl (~> 1.6)
+      rexml (~> 3.2)
     sequel (5.100.0)
       bigdecimal
     simplecov (0.22.0)
@@ -130,6 +137,7 @@ DEPENDENCIES
 
 CHECKSUMS
   addressable (2.8.8) sha256=7c13b8f9536cf6364c03b9d417c19986019e28f7c00ac8132da4eb0fe393b057
+  base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
   benchmark (0.5.0) sha256=465df122341aedcb81a2a24b4d3bd19b6c67c1530713fd533f3ff034e419236c
   bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7
   crack (1.0.1) sha256=ff4a10390cd31d66440b7524eb1841874db86201d5b70032028553130b6d4c7e
@@ -138,7 +146,7 @@ CHECKSUMS
   docile (1.4.1) sha256=96159be799bfa73cdb721b840e9802126e4e03dfc26863db73647204c727f21e
   ecosystems-bibliothecary (15.3.0) sha256=dc3c8caa3218bf833beba9e3eb8cbeb35987f771532ff0eab87fbcdfb30ce4eb
   erb (6.0.1) sha256=28ecdd99c5472aebd5674d6061e3c6b0a45c049578b071e5a52c2a7f13c197e5
-  git-pkgs (0.8.0)
+  git-pkgs (0.9.0)
   hana (1.3.7) sha256=5425db42d651fea08859811c29d20446f16af196308162894db208cac5ce9b0d
   hashdiff (1.2.1) sha256=9c079dbc513dfc8833ab59c0c2d8f230fa28499cc5efb4b8dd276cf931457cd1
   io-console (0.8.2) sha256=d6e3ae7a7cc7574f4b8893b4fca2162e57a825b223a177b7afa236c5ef9814cc
@@ -162,6 +170,7 @@ CHECKSUMS
   rexml (3.4.4) sha256=19e0a2c3425dfbf2d4fc1189747bdb2f849b6c5e74180401b15734bc97b5d142
   rugged (1.9.0) sha256=7faaa912c5888d6e348d20fa31209b6409f1574346b1b80e309dbc7e8d63efac
   sarif-ruby (0.1.0)
+  sbom (0.4.1) sha256=0c0cb49c43048f53c7eacaa536064704747825f3ba6b607dfe481aab9c591f37
   sequel (5.100.0) sha256=cb0329b62287a01db68eead46759c14497a3fae01b174e2c41da108a9e9b4a12
   simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
   simplecov-html (0.13.2) sha256=bd0b8e54e7c2d7685927e8d6286466359b6f16b18cb0df47b508e8d73c777246

README.md

@@ -335,6 +335,20 @@ git pkgs integrity --stateless  # no database needed
 
 The `--drift` flag scans your history for packages where the same version has different integrity hashes, which could indicate a supply chain issue.
 
+### SBOM export
+
+Export dependencies as a Software Bill of Materials in CycloneDX or SPDX format:
+
+```bash
+git pkgs sbom                      # CycloneDX JSON (default)
+git pkgs sbom --type spdx          # SPDX JSON
+git pkgs sbom -f xml               # XML instead of JSON
+git pkgs sbom --name my-project    # custom project name
+git pkgs sbom --stateless          # no database needed
+```
+
+Includes package URLs (purls), versions, and licenses (fetched from registries). Use `--skip-enrichment` to omit license lookups.
+
 ### Diff between commits
 
 ```bash

docs/enrichment.md

@@ -2,7 +2,7 @@
 
 Most git-pkgs commands work entirely from your git history. Your manifests and lockfiles tell us which packages you depend on, who added them, and when. But some questions require data that isn't in your repository: what's the latest version available? what license does this package use? has a security vulnerability been disclosed?
 
-The `outdated` and `licenses` commands fetch this external metadata from the [ecosyste.ms Packages API](https://packages.ecosyste.ms/), which aggregates data from npm, RubyGems, PyPI, and other registries. See also [vulns.md](vulns.md) for vulnerability scanning via OSV.
+The `outdated`, `licenses`, and `sbom` commands fetch this external metadata from the [ecosyste.ms Packages API](https://packages.ecosyste.ms/), which aggregates data from npm, RubyGems, PyPI, and other registries. See also [vulns.md](vulns.md) for vulnerability scanning via OSV.
 
 ## outdated
 
@@ -152,9 +152,68 @@ MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense, CC0-1.0, 0BSD, WTFP
 Copyleft licenses (flagged with `--copyleft` or `--permissive`):
 GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, AGPL-3.0, MPL-2.0 (and their variant identifiers)
 
+## sbom
+
+Export dependencies as a Software Bill of Materials (SBOM) in SPDX or CycloneDX format.
+
+```
+$ git pkgs sbom
+{
+  "spdxVersion": "SPDX-2.3",
+  "name": "my-project",
+  "packages": [
+    {
+      "name": "lodash",
+      "versionInfo": "4.17.21",
+      "licenseConcluded": "MIT",
+      "externalRefs": [
+        {
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/lodash@4.17.21"
+        }
+      ]
+    }
+  ]
+}
+```
+
+### Options
+
+```
+-t, --type=TYPE         SBOM type: cyclonedx (default) or spdx
+-f, --format=FORMAT     Output format: json (default) or xml
+-n, --name=NAME         Project name (default: repository directory name)
+-e, --ecosystem=NAME    Filter by ecosystem
+-r, --ref=REF           Git ref to export (default: HEAD)
+    --skip-enrichment   Skip fetching license data from registries
+    --stateless         Parse manifests directly without database
+```
+
+### Examples
+
+CycloneDX format:
+
+```
+$ git pkgs sbom --type cyclonedx
+```
+
+XML output:
+
+```
+$ git pkgs sbom -f xml
+```
+
+Skip license enrichment for faster output:
+
+```
+$ git pkgs sbom --skip-enrichment
+```
+
+The SBOM includes package URLs (purls), versions, licenses (from registry lookup), and integrity hashes (from lockfiles when available).
+
 ## Data Source
 
-Both commands fetch package metadata from [ecosyste.ms](https://packages.ecosyste.ms/), which aggregates data from npm, RubyGems, PyPI, Cargo, and other package registries.
+These commands fetch package metadata from [ecosyste.ms](https://packages.ecosyste.ms/), which aggregates data from npm, RubyGems, PyPI, Cargo, and other package registries.
 
 ## Caching
 
@@ -169,11 +228,12 @@ The cache stores:
 
 ## Stateless Mode
 
-Both commands support `--stateless` mode, which parses manifest files directly from git without requiring a database. This is useful in CI environments where you don't want to run `git pkgs init` first.
+All three commands support `--stateless` mode, which parses manifest files directly from git without requiring a database. This is useful in CI environments where you don't want to run `git pkgs init` first.
 
 ```
 $ git pkgs outdated --stateless
 $ git pkgs licenses --stateless --permissive
+$ git pkgs sbom --stateless
 ```
 
 In stateless mode, package metadata is fetched fresh each time and cached only in memory for the duration of the command.

git-pkgs.gemspec

@@ -38,4 +38,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency "vers", "~> 1.0"
   spec.add_dependency "purl", "~> 1.7", ">= 1.7.1"
   spec.add_dependency "sarif-ruby"
+  spec.add_dependency "sbom", "~> 0.4"
+  spec.add_dependency "base64"
 end

lib/git/pkgs.rb

@@ -50,6 +50,7 @@
 require_relative "pkgs/commands/outdated"
 require_relative "pkgs/commands/licenses"
 require_relative "pkgs/commands/integrity"
+require_relative "pkgs/commands/sbom"
 
 module Git
   module Pkgs

lib/git/pkgs/cli.rb

@@ -36,7 +36,8 @@ class CLI
           "stale" => "Show dependencies that haven't been updated",
           "outdated" => "Show packages with newer versions available",
           "licenses" => "Show licenses for dependencies",
-          "integrity" => "Show and verify lockfile integrity hashes"
+          "integrity" => "Show and verify lockfile integrity hashes",
+          "sbom" => "Export dependencies as SBOM (SPDX or CycloneDX)"
         },
         "Security" => {
           "vulns" => "Scan for known vulnerabilities"

lib/git/pkgs/commands/licenses.rb

@@ -118,21 +118,21 @@ def run
           end
 
           packages = deps.map do |dep|
-            purl = PurlHelper.build_purl(ecosystem: dep[:ecosystem], name: dep[:name]).to_s
+            versioned_purl = PurlHelper.build_purl(ecosystem: dep[:ecosystem], name: dep[:name], version: dep[:requirement])
+            base_purl = PurlHelper.build_purl(ecosystem: dep[:ecosystem], name: dep[:name])
             {
-              purl: purl,
+              purl: versioned_purl.to_s,
+              base_purl: base_purl.to_s,
               name: dep[:name],
               ecosystem: dep[:ecosystem],
               version: dep[:requirement],
               manifest_path: dep[:manifest_path]
             }
           end.uniq { |p| p[:purl] }
 
-          enrich_packages(packages.map { |p| p[:purl] })
+          enrich_packages(packages)
 
           packages.each do |pkg|
-            db_pkg = Models::Package.first(purl: pkg[:purl])
-            pkg[:license] = db_pkg&.license
             pkg[:violation] = check_violation(pkg[:license])
           end
 
@@ -183,9 +183,14 @@ def license_matches?(license, pattern)
           license.downcase.include?(pattern.downcase)
         end
 
-        def enrich_packages(purls)
+        def enrich_packages(packages)
+          client = EcosystemsClient.new
+
+          # Enrich package-level data (license, latest version)
+          base_purls = packages.map { |p| p[:base_purl] }.uniq
+
           packages_by_purl = {}
-          purls.each do |purl|
+          base_purls.each do |purl|
             parsed = Purl::PackageURL.parse(purl)
             ecosystem = PurlHelper::ECOSYSTEM_TO_PURL_TYPE.invert[parsed.type] || parsed.type
             pkg = Models::Package.find_or_create_by_purl(
@@ -196,19 +201,52 @@ def enrich_packages(purls)
             packages_by_purl[purl] = pkg
           end
 
-          stale_purls = packages_by_purl.select { |_, pkg| pkg.needs_enrichment? }.keys
-          return if stale_purls.empty?
+          stale_pkg_purls = packages_by_purl.select { |_, pkg| pkg.needs_enrichment? }.keys
 
-          client = EcosystemsClient.new
-          begin
-            results = Spinner.with_spinner("Fetching package metadata...") do
-              client.bulk_lookup(stale_purls)
+          if stale_pkg_purls.any?
+            begin
+              results = Spinner.with_spinner("Fetching package metadata...") do
+                client.bulk_lookup(stale_pkg_purls)
+              end
+              results.each do |purl, data|
+                packages_by_purl[purl]&.enrich_from_api(data)
+              end
+            rescue EcosystemsClient::ApiError => e
+              $stderr.puts "Warning: Could not fetch package data: #{e.message}" unless Git::Pkgs.quiet
             end
-            results.each do |purl, data|
-              packages_by_purl[purl]&.enrich_from_api(data)
+          end
+
+          # Enrich version-level data (license, integrity, published_at)
+          versions_by_purl = {}
+          packages.each do |pkg|
+            version = Models::Version.find_or_create_by_purl(
+              purl: pkg[:purl],
+              package_purl: pkg[:base_purl]
+            )
+            versions_by_purl[pkg[:purl]] = version
+          end
+
+          stale_version_purls = versions_by_purl.select { |_, v| v.needs_enrichment? }.keys
+
+          if stale_version_purls.any?
+            begin
+              Spinner.with_spinner("Fetching version metadata...") do
+                stale_version_purls.each do |purl|
+                  data = client.lookup_version(purl)
+                  versions_by_purl[purl]&.enrich_from_api(data) if data
+                end
+              end
+            rescue EcosystemsClient::ApiError => e
+              $stderr.puts "Warning: Could not fetch version data: #{e.message}" unless Git::Pkgs.quiet
             end
-          rescue EcosystemsClient::ApiError => e
-            $stderr.puts "Warning: Could not fetch package data: #{e.message}" unless Git::Pkgs.quiet
+          end
+
+          # Apply enriched data to packages - version license takes priority
+          packages.each do |pkg|
+            db_pkg = packages_by_purl[pkg[:base_purl]]
+            db_version = versions_by_purl[pkg[:purl]]
+
+            pkg[:license] = db_version&.license || db_pkg&.license
           end
         end