Feature/package discovery

[raahulkurmi]

Summary

Adds CLI support for discovering, searching, and inspecting individual packages from witness attestations — without requiring users to manually search large SBOM outputs.

New Flags

Flag | Description -- | -- --show-packages | List all packages discovered during attestation processing --show-package | Search for one or more packages by name (comma-separated) --show-package-details | Display package metadata (version, ecosystem, PURL, hashes) --packages-only | Display package information only and skip full SBOM generation

Important Note on --packages-only

By default, package discovery and inspection commands continue execution and generate the full SBOM after displaying the requested package information.

If you only need package information and want to skip SPDX/CycloneDX generation, use the --packages-only flag.

This is useful when:

• Quickly validating whether a package exists in an attestation
• Troubleshooting attestation contents
• Inspecting package metadata
• Exploring package information without generating a complete SBOM

Motivation

SBOM outputs are often large files containing hundreds or thousands of packages, making it difficult to quickly locate a specific package or inspect its metadata.

Currently, users typically need to generate a full SPDX/CycloneDX document and manually search through the output to verify package presence or investigate package information.

This feature provides a lightweight workflow for package discovery and metadata inspection directly from witness attestations.

Usage Examples

List all discovered packages

sbomit generate attestation.json --show-packages

Search specific packages

sbomit generate attestation.json --show-package flask,pandas

Search and inspect package metadata

Note: The full SBOM will still be generated after displaying package information.

sbomit generate attestation.json \
  --show-package flask,pandas \
  --show-package-details

Search, inspect, and skip SBOM generation

sbomit generate attestation.json \
  --show-package flask,pandas \
  --show-package-details \
  --packages-only

Sample Output

=== PACKAGE SEARCH RESULTS ===
✓ flask 3.1.2
Package Details:

Name:       flask

Version:    3.1.2

Ecosystem:  pypi

PURL:       pkg:pypi/flask@3.1.2
✓ pandas 2.3.3
Package Details:

Name:       pandas

Version:    2.3.3

Ecosystem:  pypi

PURL:       pkg:pypi/pandas@2.3.3
✗ redis not found
==============================

Found:   2

Missing: 1

==============================

Future Work

A potential follow-up enhancement would be support for displaying the SPDX/CycloneDX representation of selected packages directly.

Example:

sbomit generate attestation.json 

--show-package flask 

--show-package-spdx

This would allow users to inspect the SBOM entry associated with a specific package without generating or searching the entire SBOM document.

Notes

This change is additive and does not modify the existing SBOM generation workflow. Existing commands and output formats continue to work as before.