Should I create a template, or just post-process to get an SPDX SBOM containing PURLs only?

eherget · September 11, 2025, 4:23pm

I would like to have syft generate SPDX SBOMs containing PURLs only, no CPEs. My thought is that using a template would be the “clean” way to do it. The alternative is to generate an SPDX SBOM, then post-process the output and strip out CPEs, leaving only PURLs. I would like some guidance on which approach I should take. If someone has already done the same thing using a template, I’d like to get a copy of the template.

Thanks in advance!

popey · September 11, 2025, 7:06pm

Is it just CPEs you want to rip out, or something more?
Making an SBOM small is great, but making it compliant is even better!

I don’t think there’s a template yet, unless someone speaks up below

eherget · September 11, 2025, 7:48pm

I would like the SBOM to also be compliant (part of “clean” in my mind)! The project I’m working on is focused on PURLs so removing CPEs greatly reduces the size.

Topic		Replies	Views
PURL is empty for "graalvm-native-image-cataloger" Syft	5	17	August 20, 2025
How to make valid sbom files? (Newbie Questions) General	1	37	November 13, 2024
Does Syft automaticaly detects existing SBOM files? Syft	1	51	March 20, 2025
Introducing sbommage - A friendly SBOM viewer General	2	65	April 17, 2025
"we track the complete list in our open source SBOM eBook." - the repo is gone General	1	12	September 1, 2025

Should I create a template, or just post-process to get an SPDX SBOM containing PURLs only?

Related topics