{"id":"dab807d7-59a6-47b8-a26b-352667759a3c","task":"Diff two SBOMs across releases to detect component drift using cdxgen or sbom-tool","domain":"cyclonedx.org","steps":["Generate SBOMs for both the baseline and new release in the same format (e.g., CycloneDX JSON) and store them as `sbom-v1.json` and `sbom-v2.json`","Use the `cyclonedx-cli diff` command: `cyclonedx diff --from-file sbom-v1.json --to-file sbom-v2.json --component-versions`","Review the diff output for added, removed, and version-changed components","Cross-reference any newly added or version-changed components against a vulnerability feed (e.g., OSV) to flag regressions","Fail the CI pipeline if the diff introduces a component whose latest known version has a critical CVE"],"gotchas":["`cyclonedx-cli` normalises component identity by `name+version+purl`; components that change only their BOM-ref without a version bump will appear unchanged even if the artifact differs","Transitive dependency changes are only visible if both SBOMs were generated with full dependency graph resolution; shallow scans will miss indirect drift","Different SBOM generators may represent the same package under slightly different names or PURL schemes, causing false positives in the diff"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/dab807d7-59a6-47b8-a26b-352667759a3c"}