Claude Code Plugins

Community-maintained marketplace

Feedback

sbom-validator

@cboyd0319/BazBOM
1
0

Validates SBOM (Software Bill of Materials) files generated by BazBOM for correctness, completeness, and SPDX compliance. Use when checking if generated SBOMs are valid or debugging SBOM generation issues.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name sbom-validator
description Validates SBOM (Software Bill of Materials) files generated by BazBOM for correctness, completeness, and SPDX compliance. Use when checking if generated SBOMs are valid or debugging SBOM generation issues.

SBOM Validator Skill

Automatically validates SBOM files for structure, content, and compliance.

When to Use

Activate this skill when you hear:

  • "Is this SBOM valid?"
  • "Check the generated SBOM"
  • "Validate SBOM output"
  • "SBOM looks wrong"
  • "How many packages in the SBOM?"

Validation Checks

1. File Existence and Format

# Check file exists
test -f sbom.spdx.json || test -f sbom.cyclonedx.json

# Validate JSON syntax
jq empty sbom.spdx.json

2. SPDX Structure Validation

# Required fields present
jq -e '.spdxVersion' sbom.spdx.json
jq -e '.dataLicense' sbom.spdx.json
jq -e '.name' sbom.spdx.json
jq -e '.packages' sbom.spdx.json
jq -e '.relationships' sbom.spdx.json

# Version check
jq -r '.spdxVersion' sbom.spdx.json
# Should be: "SPDX-2.3" or similar

3. Package Validation

# Count packages
jq '.packages | length' sbom.spdx.json

# Check package structure
jq '.packages[0] | keys' sbom.spdx.json
# Should have: SPDXID, name, versionInfo, externalRefs

# Validate PURLs
jq -r '.packages[].externalRefs[]? | select(.referenceType == "purl") | .referenceLocator' sbom.spdx.json

4. Relationship Validation

# Count relationships
jq '.relationships | length' sbom.spdx.json

# Check for DESCRIBES relationships
jq '[.relationships[] | select(.relationship_type == "DESCRIBES")] | length' sbom.spdx.json

# Check for DEPENDS_ON relationships
jq '[.relationships[] | select(.relationshipType == "DEPENDS_ON")] | length' sbom.spdx.json

5. Content Quality Checks

# Check for empty packages
jq '[.packages[] | select(.name == "" or .versionInfo == "")] | length' sbom.spdx.json

# Verify download locations
jq -r '.packages[] | .downloadLocation' sbom.spdx.json | grep -v "NOASSERTION"

# Check SPDX IDs are unique
jq -r '.packages[].SPDXID' sbom.spdx.json | sort | uniq -d

Validation Report Format

SBOM Validation Report
=====================

File: sbom.spdx.json
Size: 45KB

✅ JSON Format: Valid
✅ SPDX Version: SPDX-2.3
✅ Required Fields: Present
✅ Package Count: 59 packages
✅ Relationship Count: 232 relationships

Package Quality:
✅ All packages have names
✅ All packages have versions
✅ All packages have PURLs
✅ 59 download locations specified

Relationships:
✅ 1 DESCRIBES relationship
✅ 231 DEPENDS_ON relationships
✅ No orphaned packages

Summary: SBOM is valid and complete ✅

Common Issues Detected

Zero Packages

Symptom: .packages | length returns 0 Cause: Dependency extraction failed Action: Check Bazel detection and maven_install.json parsing

Missing PURLs

Symptom: Some packages lack externalRefs Cause: Package URL generation failed Action: Verify artifact coordinates in maven_install.json

Invalid Relationships

Symptom: Relationship references non-existent SPDX IDs Cause: Graph conversion bug Action: Check BazelDependencyGraph::to_spdx() logic

Malformed JSON

Symptom: jq parsing fails Cause: Serialization error Action: Check serde_json::to_string_pretty() calls

Quick Validation Commands

# Basic validation
jq '.packages | length' sbom.spdx.json

# Show first 3 packages
jq '.packages[0:3]' sbom.spdx.json

# List all package names and versions
jq -r '.packages[] | "\(.name)@\(.versionInfo)"' sbom.spdx.json

# Check for duplicate packages
jq -r '.packages[] | "\(.name)@\(.versionInfo)"' sbom.spdx.json | sort | uniq -d

# Validate PURLs
jq -r '.packages[].externalRefs[] | select(.referenceType == "purl") | .referenceLocator' sbom.spdx.json | head -5

Integration with Testing

Use after running BazBOM:

# Generate SBOM
bazbom scan --format spdx -o /tmp/test

# Validate output
jq '.packages | length' /tmp/test/sbom.spdx.json

# Full validation
./validate-sbom.sh /tmp/test/sbom.spdx.json

Success Criteria

An SBOM passes validation when:

  • ✅ JSON is syntactically valid
  • ✅ SPDX version is specified
  • ✅ All required fields present
  • ✅ Package count > 0 (for repos with dependencies)
  • ✅ All packages have names and versions
  • ✅ All packages have valid PURLs
  • ✅ Relationships reference existing packages
  • ✅ At least one DESCRIBES relationship

Remember: A valid SBOM is the foundation for vulnerability scanning and compliance.