Support --normalize flag (sort+) for CycloneDX BOM on trim command output

.vscode/launch.json

@@ -4,7 +4,16 @@
     // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
     "version": "0.2.0",
     "configurations": [
-
+        {
+            "showGlobalVariables": true,
+            "name": "Debug: validate",
+            "type": "go",
+            "request": "launch",
+            "mode": "debug",
+            "program": "main.go", // "program": "${file}",
+            "args": ["validate", "-i", "examples/cyclonedx/SBOM/protonmail-webclient-v4-0912dff/bom.json"],
+            "dlvFlags": ["--check-go-version=false"]
+        },
         {
             "showGlobalVariables": true,
             "name": "Debug: query: SELECT * FROM metadata.component",

.vscode/settings.json

@@ -78,6 +78,7 @@
             "MLBOM",
             "multimap",
             "myservices",
+            "NATS",
             "NOASSERTION",
             "nolint",
             "nosec",
@@ -99,6 +100,7 @@
             "PROPKEY",
             "protonmail",
             "repackager",
+            "rvoi",
             "rwxr",
             "SAAS",
             "SAASBOM",

README.md

@@ -941,6 +941,14 @@ A comma-separated list of JSON map keys. Similar to the [query command's `--sele
 
 A comma-separated list of JSON document paths using the same syntax as the [query command's `--from` flag](#query---from-flag).
 
+##### Trim `--normalize` flag
+
+A flag that normalizes the BOM data after trimming and prior to output.
+
+This flag has custom code that sorts all components, services, licenses, vulnerabilities, properties, external references, hashes and *most* other BOM data using custom comparators.
+
+Each comparator uses `required` fields and other identifying fields to create *"composite keys"* for each unique data structure.
+
 #### Trim examples
 
 The original BOM used for these examples can be found here:
@@ -1133,6 +1141,180 @@ Output BOM results with `properties` removed from all `components`:
 
 ---
 
+##### Example: Trim `bom-ref` and normalize output
+
+```bash
+./sbom-utility trim -i test/trim/trim-cdx-1-5-sample-components-normalize.sbom.json --keys="bom-ref" --normalize -q
+```
+
+**Note** If you do not want to remove any keys and simply normalize output, set keys to an empty string: `--keys=""`.
+
+Use the trim command to remove all `bom-ref` fields and normalize output:
+
+```json
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "pkg:npm/[email protected]",
+      "purl": "pkg:npm/[email protected]",
+      "name": "sample",
+      "version": "2.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "GPL-2.0-or-later"
+          }
+        },
+        {
+          "license": {
+            "id": "LGPL-2.0-or-later"
+          }
+        },
+        {
+          "license": {
+            "id": "GPL-2.0-only"
+          }
+        }
+      ],
+      "properties": [
+        {
+          "name": "moo",
+          "value": "cow"
+        },
+        {
+          "name": "foo",
+          "value": "bar"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "bom-ref": "pkg:npm/[email protected]",
+      "purl": "pkg:npm/[email protected]",
+      "name": "body-parser",
+      "version": "1.19.0",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
+        },
+        {
+          "alg": "SHA-1",
+          "content": "96b2709e57c9c4e09a6fd66a8fd979844f69f08a"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        },
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "website",
+          "url": "https://example.com/website"
+        },
+        {
+          "type": "support",
+          "url": "https://example.com/support"
+        }
+      ]
+    }
+  ]
+}
+```
+
+Trimmed, normalized output:
+
+```json
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "components": [
+    {
+      "type": "library",
+      "name": "body-parser",
+      "version": "1.19.0",
+      "hashes": [
+        {
+          "alg": "SHA-1",
+          "content": "96b2709e57c9c4e09a6fd66a8fd979844f69f08a"
+        },
+        {
+          "alg": "SHA-256",
+          "content": "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        },
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "purl": "pkg:npm/[email protected]",
+      "externalReferences": [
+        {
+          "type": "support",
+          "url": "https://example.com/support"
+        },
+        {
+          "type": "website",
+          "url": "https://example.com/website"
+        }
+      ]
+    },
+    {
+      "type": "library",
+      "name": "sample",
+      "version": "2.0.0",
+      "licenses": [
+        {
+          "license": {
+            "id": "GPL-2.0-only"
+          }
+        },
+        {
+          "license": {
+            "id": "GPL-2.0-or-later"
+          }
+        },
+        {
+          "license": {
+            "id": "LGPL-2.0-or-later"
+          }
+        }
+      ],
+      "purl": "pkg:npm/[email protected]",
+      "properties": [
+        {
+          "name": "foo",
+          "value": "bar"
+        },
+        {
+          "name": "moo",
+          "value": "cow"
+        }
+      ]
+    }
+  ]
+}
+```
+
 ### Validate
 
 This command will parse standardized SBOMs and validate it against its declared format and version (e.g., SPDX 2.2, CycloneDX 1.4). Custom  variants of standard JSON schemas can be used for validation by supplying the `--variant` name as a flag. Explicit JSON schemas can be specified using the `--force` flag.

cmd/diff.go

@@ -151,17 +151,21 @@ func Diff(persistentFlags utils.PersistentCommandFlags, flags utils.DiffCommandF
 	// #nosec G304 (suppress warning)
 	bBaseData, errReadBase := os.ReadFile(inputFilename)
 	if errReadBase != nil {
-		getLogger().Debugf("%v", bBaseData[:255])
-		err = getLogger().Errorf("Failed to ReadFile '%s': %s", inputFilename, err.Error())
+		if len(bBaseData) > 255 {
+			getLogger().Debugf("%v", bBaseData[:255])
+		}
+		err = getLogger().Errorf("Failed to ReadFile '%s': %s", inputFilename, errReadBase.Error())
 		return
 	}
 
 	getLogger().Infof("Reading file (--input-revision): `%s` ...", revisedFilename)
 	// #nosec G304 (suppress warning)
 	bRevisedData, errReadDelta := os.ReadFile(revisedFilename)
 	if errReadDelta != nil {
-		getLogger().Debugf("%v", bRevisedData[:255])
-		err = getLogger().Errorf("Failed to ReadFile '%s': %s", inputFilename, err.Error())
+		if len(bRevisedData) > 255 {
+			getLogger().Debugf("%v", bRevisedData[:255])
+		}
+		err = getLogger().Errorf("Failed to ReadFile '%s': %s", revisedFilename, errReadDelta.Error())
 		return
 	}
 
@@ -201,6 +205,7 @@ func Diff(persistentFlags utils.PersistentCommandFlags, flags utils.DiffCommandF
 			getLogger().Warningf("Diff output format not supported for `%s` format.", format)
 		}
 
+		// Output complete diff in either supported format
 		fmt.Fprintf(output, "%s\n", diffString)
 
 	} else {
@@ -214,7 +219,7 @@ func Diff(persistentFlags utils.PersistentCommandFlags, flags utils.DiffCommandF
 func compareBinaryData(bBaseData []byte, bRevisedData []byte) (diffResults diff.Diff, err error) {
 	defer func() {
 		if recoveredPanic := recover(); recoveredPanic != nil {
-			fmt.Println("panic occurred:", recoveredPanic)
+			getLogger().Infof("ADVICE: Use the Trim command before Diff to remove highly variable data, such as: \"bom-ref\", \"hashes\" and \"properties\".")
 			err = getLogger().Errorf("panic occurred: %v", recoveredPanic)
 			return
 		}