The art of SBOM composition is the act of crafting an SBOM document on the fly, specifically with data that may come from other documents. Composing data involves ripping parts of one SBOM to copy to a new document or to enrich Nodes and possibly their graphs with fragments from the first one.
SBOM composition is an important SBOM ability needed by the ecosystem as it bridges the gap created by the various tools that output SBOM data from specialized processes and analyisis. Examples of data that may need to be composed includes results from SCA tools, license classifiers, dependency data from compilers, OS package data, and more. All of these data streams can come together to create the perfect SuperSBOM.
SBOM composition will generally involve querying data from a document to extract a `NodeList``, the protobom construct that captures a self-sustaining graph fragment. Resilting Nodes and NodeLists can be fed into the various SBOM composition functions which, in turn, return new Documents or NodeLists as a result of the composing operation.
The following examples use a sample nodelist
variable. This is an example
NodeList that may come from a query or a method such as sbom.packages()
.