Support Package-Level SPDX and CycloneDX Output

[raahulkurmi]

Problem

SBOMit recently introduced package discovery and inspection capabilities, allowing users to list, search, and inspect packages directly from witness attestations.

While package metadata can now be viewed from the CLI, users who want to understand how a specific package would appear in the generated SBOM must still generate and inspect the complete SPDX or CycloneDX document.

For large attestations containing hundreds or thousands of packages, this can be cumbersome when the goal is to investigate a single package.

Proposed Enhancement

Add support for displaying SPDX or CycloneDX representations for individual packages.

Example:

sbomit generate attestation.json \
  --show-package flask \
  --format spdx23 \
  --package-sbom

Example output:

{
  "name": "flask",
  "SPDXID": "SPDXRef-Package-flask",
  "versionInfo": "3.1.2",
  "externalRefs": [
    {
      "referenceType": "purl",
      "referenceLocator": "pkg:pypi/flask@3.1.2"
    }
  ]
}

Similarly for CycloneDX:

sbomit generate attestation.json \
  --show-package flask \
  --format cdx15 \
  --package-sbom

Motivation

This would be useful for:

• Debugging package-to-SBOM mapping logic
• Validating generated package metadata
• Investigating package information without generating a complete SBOM
• Understanding how specific packages are represented across output formats
• Troubleshooting resolver behavior

Possible Future Extensions

• Export package-level SBOM fragments as JSON
• Compare SPDX and CycloneDX representations side-by-side
• Support package-level vulnerability enrichment
• Support ecosystem-specific filtering

Benefits

• Faster debugging workflows
• Improved visibility into SBOM generation internals
• Easier validation of package metadata
• Better user experience when working with large attestations