Generate CycloneDX SBOM with open-source tools

You can use many different open-source tools to generate your SBOM in CycloneDX format. We support CycloneDX 1.4 and JSON and XML formats.

Note: We have not used all of these, so have appended an * to the ones we've used or have seen our clients use successfully.

Java *

Core

Generate an SBOM for Java Core projects with the .

Maven

Generate an SBOM for Java Maven projects with the .

Gradle *

Generate an SBOM for Java Gradle projects with th or Gradle's own .

JavaScript *

Generate an SBOM for JavaScript projects with the .

Node.js

NPM *

Yarn

Objective-C/Swift

CocoaPods *

.NET

NuGet *

Python *

Pip

Poetry

PHP

Composer

Go

Gomod

Elixir

Mix *

Erlang

Rebar3

Multi-Language

Linux kernel source code

• chmod +x ./sbom-tool

• Download, then extract the Linux kernel source code from The Linux Kernel Archives. For example, this uses version 5.15.88:

  tar xvfJ linux-5.15.88.tar.xz

• Run the SBOM generation tool:

  ./sbom-tool generate -b ./linux-5.15.88 -bc ./linux-5.15.88 -pn kernel -pv 5.15.88 -ps linux.org -nsb https://kernel.org

• Locate the generated SPDX file in ./linux-5.15.88/_manifest/spdx_2.2/ folder. It is named manifest.spdx.json. You will now need to convert the SPDX file to CycloneDX.

Ruby *

More tools