Comment on page
Generate CycloneDX SBOM with open-source tools
You can use many different open-source tools to generate your SBOM in CycloneDX format.
Note: We have not used all of these, so have appended an * to the ones we've used or have seen our clients use successfully.
Generate an SBOM for Java Gradle projects with th CycloneDX Gradle plugin or Gradle's own CycloneDX plugin.
- Microsoft's SBOM generation tool (microsoft.sbom.tool) apparently can detect NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repos, and more. It uses Component Detection to generate your SBOM.
- Download Microsoft's SBOM tool the tool to your local environment, then give execute permission to the downloaded executable file:
chmod +x ./sbom-tool
- Download, then extract the Linux kernel source code from The Linux Kernel Archives. For example, this uses version 5.15.88:
tar xvfJ linux-5.15.88.tar.xz
- Run the SBOM generation tool:
./sbom-tool generate -b ./linux-5.15.88 -bc ./linux-5.15.88 -pn kernel -pv 5.15.88 -ps linux.org -nsb https://kernel.org
- Locate the generated SPDX file in ./linux-5.15.88/_manifest/spdx_2.2/ folder. It is named manifest.spdx.json. You will now need to convert the SPDX file to CycloneDX.