Back to Docs
Recipe

Recipe: SBOM Summarizer

Ingest a Software Bill of Materials (CycloneDX or SPDX) and produce a human-readable summary of dependencies, licenses, and risk signals.

Overview

This recipe walks through building an SBOM summarizer that parses standard-format SBOMs, extracts the dependency graph, cross-references license data, and flags stale or vulnerable packages. The output is a structured summary suitable for compliance audits or CI gates.

Prerequisites

  • Meridian CLI v2.1+ installed and authenticated
  • An SBOM file in CycloneDX 1.4+ or SPDX 2.3 JSON format
  • Optional: a license-policy YAML for custom allow/deny rules

Quick Start

meridian recipe run sbom-summarizer \
  --input ./sbom.cdx.json \
  --policy ./license-policy.yaml \
  --output ./summary.json

The summarizer auto-detects the SBOM format. Use --format to override.

Output Schema

The summary JSON includes a top-level dependency count, a license breakdown by SPDX identifier, a risk score (0–100), and an array of flagged components with remediation hints.

Next Steps

Chain this recipe with the Vulnerability Enricher to correlate CVEs against the extracted component list. See the Vulnerability Enricher recipe for details.