Comment on page

Generate CycloneDX SBOM with open-source tools

You can use many different open-source tools to generate your SBOM in CycloneDX format. 
Note: We have not used all of these, so have appended an * to the ones we've used or have seen our clients use successfully.
Java *
Core
Generate an SBOM for Java Core projects with the CycloneDX Java Core plugin.
Maven
Generate an SBOM for Java Maven projects with the CycloneDX Maven plugin.
Gradle *
Generate an SBOM for Java Gradle projects with th CycloneDX Gradle plugin or Gradle's own CycloneDX plugin.
JavaScript *
Generate an SBOM for JavaScript projects with the CycloneDX JavaScript library.
Node.js
NPM *
Generate an SBOM for Node.js NPM projects with the CycloneDX Node module.
Generate an SBOM for Node.js NPM projects with the CycloneDX-npm tool. 
Yarn
Generate an SBOM for Node.js Yarn projects with the CycloneDX Node module.
Objective-C/Swift
CocoaPods *
Generate SBOM for CocoaPods projects with the CycloneDX Cocoapod plugin.
.NET
NuGet *
Generate SBOM for .NET NuGet projects with the CycloneDX .NET module.
Python *
Generate SBOM for Python projects with the GitHub Python SBOM generation tool. 
Pip
Generate SBOM for Python Pip projects with the CycloneDX Python SBOM generation tool.
Poetry
Generate SBOM for Python Poetry projects with the CycloneDX Python SBOM generation tool.
PHP
Composer
Generate SBOM for PHP Composer projects with the CycloneDX PHP Composer plugin.
Go
Gomod
Generate SBOM for Golang projects with gomod using the CycloneDX-gomod tool.
Elixir
Mix *
Generate SBOM for Elixir Mix projects using the CycloneDX SBOM generation Mix task​
Erlang
Rebar3
Generate SBOM for Erlang Rebar3 projects with the CycloneDX Rebar3 SBOM generation tool.
Multi-Language
Microsoft's SBOM generation tool (microsoft.sbom.tool) apparently can detect NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repos, and more. It uses Component Detection to generate your SBOM. 
Generate SBOM using Syft's CLI tool and Go library.
Linux kernel source code
Download Microsoft's SBOM tool the tool to your local environment, then give execute permission to the downloaded executable file:
chmod +x ./sbom-tool
Download, then extract the Linux kernel source code from The Linux Kernel Archives. For example, this uses version 5.15.88:
tar xvfJ linux-5.15.88.tar.xz
Run the SBOM generation tool: 
./sbom-tool generate -b ./linux-5.15.88 -bc ./linux-5.15.88 -pn kernel -pv 5.15.88 -ps linux.org -nsb https://kernel.org
Locate the generated SPDX file in ./linux-5.15.88/_manifest/spdx_2.2/ folder. It is named manifest.spdx.json. You will now need to convert the SPDX file to CycloneDX.
Ruby *
Generate SBOM for Ruby projects with the CycloneDX-ruby gem.
More tools
​CycloneDX SBOM Standard GitHub repositories *
​SBOM Utility on GitHub​
​License Scanner on GitHub​
​CLI SBOM Extension on GitHub​
​SBOM tool repository on GitHub 
​CERTCC SwiftBOM generator and demo tool​
​UI tool to generate SBOM 
​CycloneDX Linux generator​
​Syft SBOM generator​

Generate SPDX SBOM with open-source tools

Convert your SBOM from CSV to CycloneDX

Last modified 27d ago