@cyclonedx/cdxgen NPM

CycloneDX Generator

cdxgen logo

cdxgen is a CLI tool, library, REPL, and server to create a valid and compliant CycloneDX Bill of Materials (BOM) containing an aggregate of all project dependencies for C/C++, Node.js, PHP, Python, Ruby, Rust, Java, .Net, Dart, Haskell, Elixir, and Go projects in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.6.

When used with plugins:

cdxgen could generate an OBOM for Linux docker images and even VMs running Linux or Windows operating systems
cdxgen also includes an evinse tool to generate component evidence, CBOM, and SaaSBOM for some languages

Why cdxgen?

Most SBOM tools are like simple barcode scanners. For easy applications, they can parse a few package manifests and create a list of components only based on these files without any deep inspection. Further, a typical application might have several repos, components, and libraries with complex build requirements. Traditional techniques to generate an SBOM per language or package manifest either do not work in enterprise environments or don't provide the confidence required for both compliance and automated analysis. So we built cdxgen - the universal polyglot SBOM generator that is user-friendly, precise, and comprehensive!

Supported languages and package format

Language/Platform	Package format	Transitive dependencies	Evidence
Node.js	npm-shrinkwrap.json, package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js, bower.json, .min.js	Yes except .min.js	Yes
Java	maven (pom.xml 1), gradle (build.gradle, .kts), scala (sbt), bazel	Yes unless pom.xml is manually parsed due to unavailability of maven or errors	Yes
Android	apk, aab
PHP	composer.lock	Yes	Yes
Python	pyproject.toml, setup.py, requirements.txt 2, Pipfile.lock, poetry.lock, pdm.lock, bdist_wheel, .whl, .egg-info	Yes using the automatic pip install/freeze. When disabled, only with Pipfile.lock and poetry.lock	Yes
Go	binary, go.mod, go.sum, Gopkg.lock	Yes except binary	Yes
Ruby	Gemfile.lock, gemspec	Only for Gemfile.lock
Rust	binary, Cargo.toml, Cargo.lock	Only for Cargo.lock
.Net	.csproj, .vbproj, .fsproj, packages.config, project.assets.json 3, packages.lock.json, .nupkg, paket.lock, binary	Only for project.assets.json, packages.lock.json, paket.lock
Dart	pubspec.lock, pubspec.yaml	Only for pubspec.lock
Haskell	cabal.project.freeze	Yes
Elixir	mix.lock	Yes
C/C++/Objective C/C++11	conan.lock, conanfile.txt, *.cmake, CMakeLists.txt, meson.build, codebase without package managers!	Yes only for conan.lock. Best effort basis for cmake without version numbers.	Yes
Clojure	Clojure CLI (deps.edn), Leiningen (project.clj)	Yes unless the files are parsed manually due to lack of clojure cli or leiningen command
Swift	Package.resolved, Package.swift (swiftpm)	Yes
Docker / oci image	All supported languages. Linux OS packages with plugins 4	Best effort based on lock files	Yes
GitHub Actions	.github/workflows/*.yml	N/A	Yes
Linux	All supported languages. Linux OS packages with plugins 5	Best effort based on lock files	Yes
Windows	All supported languages. OS packages with best effort 5	Best effort based on lock files	Yes
Jenkins Plugins	.hpi files		Yes
Helm Charts	.yaml	N/A
Skaffold	.yaml	N/A
kustomization	.yaml	N/A
Tekton tasks	.yaml	N/A
Kubernetes	.yaml	N/A
Maven Cache	$HOME/.m2/repository/*/.jar	N/A
SBT Cache	$HOME/.ivy2/cache/*/.jar	N/A
Gradle Cache	$HOME/caches/modules-2/files-2.1/*/.jar	N/A
Helm Index	$HOME/.cache/helm/repository/*/.yaml	N/A
Docker compose	docker-compose*.yml. Images would also be scanned.	N/A
Dockerfile	`Dockerfile` Images would also be scanned.	N/A
Containerfile	`Containerfile`. Images would also be scanned.	N/A
Bitbucket Pipelines	`bitbucket-pipelines.yml` images and pipes would also be scanned.	N/A
Google CloudBuild configuration	cloudbuild.yaml	N/A
OpenAPI	openapi.json, openapi.yaml	N/A

NOTE:

Apache maven 3.x is required for parsing pom.xml
gradle or gradlew is required to parse gradle projects
sbt is required for parsing scala sbt projects. Only scala 2.10 + sbt 0.13.6+ and 2.12 + sbt 1.0+ are currently supported.
- Alternatively, create a lock file using sbt-dependency-lock plugin

Footnotes:

1 - For multi-module applications, the BOM file could include components not included in the packaged war or ear file.
2 - Pip freeze is automatically performed to improve precision. Requires virtual environment.
3 - Perform dotnet or nuget restore to generate project.assets.json. Without this file, cdxgen would not include indirect dependencies.
4 - See the section on plugins
5 - Powered by osquery. See the section on plugins

Automatic usage detection

For node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to required in the resulting SBOM. You can turn off this analysis by passing the argument --no-babel. Scope property would then be set based on the dev attribute in the lock file.

This attribute can be later used for various purposes. For example, dep-scan uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.

With the argument --required-only, you can limit the SBOM only to include packages with the scope "required", commonly called production or non-dev dependencies. Combine with --no-babel to limit this list to only non-dev dependencies based on the dev attribute being false in the lock files.

For go, go mod why command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).

Usage

Installing

npm install -g @cyclonedx/cdxgen

If you are a Homebrew user, you can also install cdxgen via:

$ brew install cdxgen

Deno and bun runtime can be used with limited support.

deno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid --allow-write --allow-net -n cdxgen "npm:@cyclonedx/cdxgen/cdxgen"

You can also use the cdxgen container image with node, deno, or bun runtime versions.

The default version uses Node.js 20

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/bom.json

To use the deno version, use ghcr.io/cyclonedx/cdxgen-deno as the image name.

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno -r /app -o /app/bom.json

For the bun version, use ghcr.io/cyclonedx/cdxgen-bun as the image name.

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun -r /app -o /app/bom.json

In deno applications, cdxgen could be directly imported without any conversion. Please see the section on integration as a library

import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";

Getting Help

$ cdxgen -h
Options:
  -o, --output                 Output file. Default bom.json
                                                           [default: "bom.json"]
  -t, --type                   Project type
  -r, --recurse                Recurse mode suitable for mono-repos. Defaults to
                                true. Pass --no-recurse to disable.
                                                       [boolean] [default: true]
  -p, --print                  Print the SBOM as a table with tree.    [boolean]
  -c, --resolve-class          Resolve class names for packages. jars only for n
                               ow.                                     [boolean]
      --deep                   Perform deep searches for components. Useful whil
                               e scanning C/C++ apps, live OS and oci images.
                                                                       [boolean]
      --server-url             Dependency track url. Eg: https://deptrack.cyclon
                               edx.io
      --api-key                Dependency track api key
      --project-group          Dependency track project group
      --project-name           Dependency track project name. Default use the di
                               rectory name
      --project-version        Dependency track project version
                                                          [string] [default: ""]
      --project-id             Dependency track project id. Either provide the i
                               d or the project name and version together
                                                                        [string]
      --parent-project-id      Dependency track parent project id       [string]
      --required-only          Include only the packages with required scope on
                               the SBOM. Would set compositions.aggregate to inc
                               omplete unless --no-auto-compositions is passed.
                                                                       [boolean]
      --fail-on-error          Fail if any dependency extractor fails. [boolean]
      --no-babel               Do not use babel to perform usage analysis for Ja
                               vaScript/TypeScript projects.           [boolean]
      --generate-key-and-sign  Generate an RSA public/private key pair and then
                               sign the generated SBOM using JSON Web Signatures
                               .                                       [boolean]
      --server                 Run cdxgen as a server                  [boolean]
      --server-host            Listen address             [default: "127.0.0.1"]
      --server-port            Listen port                     [default: "9090"]
      --install-deps           Install dependencies automatically for some proje
                               cts. Defaults to true but disabled for containers
                                and oci scans. Use --no-install-deps to disable
                               this feature.           [boolean] [default: true]
      --validate               Validate the generated SBOM using json schema. De
                               faults to true. Pass --no-validate to disable.
                                                       [boolean] [default: true]
      --evidence               Generate SBOM with evidence for supported languag
                               es.                    [boolean] [default: false]
      --spec-version           CycloneDX Specification version to use. Defaults
                               to 1.5                    [number] [default: 1.5]
      --filter                 Filter components containing this word in purl or
                                component.properties.value. Multiple values allo
                               wed.                                      [array]
      --only                   Include components only containing this word in p
                               url. Useful to generate BOM with first party comp
                               onents alone. Multiple values allowed.    [array]
      --author                 The person(s) who created the BOM. Set this value
                                if you're intending the modify the BOM and claim
                                authorship.[array] [default: "OWASP Foundation"]
      --profile                BOM profile to use for generation. Default generi
                               c.
  [choices: "appsec", "research", "operational", "threat-modeling", "license-com
                                       pliance", "generic"] [default: "generic"]
      --exclude                Additional glob pattern(s) to ignore      [array]
      --include-formulation    Generate formulation section using git metadata.
                                                      [boolean] [default: false]
      --include-crypto         Include crypto libraries found under formulation.
                                                      [boolean] [default: false]
      --standard               The list of standards which may consist of regula
                               tions, industry or organizational-specific standa
                               rds, maturity models, best practices, or any othe
                               r requirements which can be evaluated against or
                               attested to.
  [array] [choices: "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "
                     pcissc-secure-slc-1.1", "scvs-1.0.0", "ssaf-DRAFT-2023-11"]
      --auto-compositions      Automatically set compositions when the BOM was f
                               iltered. Defaults to true
                                                       [boolean] [default: true]
  -h, --help                   Show help                               [boolean]
  -v, --version                Show version number                     [boolean]

All boolean arguments accept --no prefix to toggle the behavior.

Example

Minimal example.

cdxgen -o bom.json

For a java project. cdxgen would automatically detect maven, gradle, or sbt and build bom accordingly

cdxgen -t java -o bom.json

To print the SBOM as a table pass -p argument.

cdxgen -t java -o bom.json -p

To recursively generate a single BOM for all languages pass -r argument.

cdxgen -r -o bom.json

The default specification used by cdxgen is 1.5. To generate BOM for a different specification version, such as 1.6 or 1.4, pass the version number using the --spec-version argument.

# 1.6 is unsupported by most tools
cdxgen -r -o bom.json --spec-version 1.6

# 1.4 is supported by most tools
cdxgen -r -o bom.json --spec-version 1.4

To generate SBOM for C or Python, ensure Java >= 21 is installed.

# Install java >= 21
cdxgen -t c -o bom.json

NOTE: cdxgen is known to freeze with Java 8 or 11, so ensure >= 21 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.

Universal SBOM

By passing the type argument -t universal, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container, and Kubernetes manifests. The resulting SBOM could have over a thousand components, thus requiring additional triaging before use with traditional SCA tools.

SBOM server

Invoke cdxgen with --server argument to run it in server mode. By default, it listens to port 9090, which can be customized with the arguments --server-host and --server-port.

cdxgen --server

Or use the container image.

docker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server --server-host 0.0.0.0

Use curl or your favorite tool to pass arguments to the /sbom route.

Server arguments

Arguments can be passed either via the query string or as a JSON body. The following arguments are supported.

Argument	Description
type	Project type
multiProject	boolean
requiredOnly	Include only the packages with required scope on the SBOM. boolean
noBabel	Do not use babel to perform usage analysis for JavaScript/TypeScript projects. boolean
installDeps	Install dependencies automatically for some projects. Defaults to true but disabled for containers and oci scans. boolean
project
projectName	Dependency track project name. Default use the directory name
projectGroup	Dependency track project group
projectVersion	Dependency track project version default: ""

Health endpoint

Use the /health endpoint to check if the SBOM server is up and running.

curl "http://127.0.0.1:9090/health"

Scanning a local path

curl "http://127.0.0.1:9090/sbom?path=/Volumes/Work/sandbox/vulnerable-aws-koa-app&multiProject=true&type=js"

Scanning a git repo

curl "http://127.0.0.1:9090/sbom?url=https://github.com/HooliCorp/vulnerable-aws-koa-app.git&multiProject=true&type=js"

If you need to pass credentials to authenticate.

curl "http://127.0.0.1:9090/sbom?url=https://<access_token>@github.com/some/repo.git&multiProject=true&type=js"
curl "http://127.0.0.1:9090/sbom?url=https://<username>:<password>@bitbucket.org/some/repo.git&multiProject=true&type=js"

You can POST the arguments.

curl -H "Content-Type: application/json" http://localhost:9090/sbom -XPOST -d $'{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app.git", "type": "nodejs", "multiProject": "true"}'

Docker compose

git clone https://github.com/cyclonedx/cdxgen.git
docker compose up

War file support

cdxgen can generate a BOM file from a given war file.

# cdxgen -t java app.war
cdxgen app.war

Resolving class names

Sometimes, it is necessary to resolve class names contained in jar files. By passing an optional argument --resolve-class, it is possible to get cdxgen to create a separate mapping file with the jar name (including the version) as the key and class names list as a value.

cdxgen -t java --resolve-class -o bom.json

This would create a bom.json.map file with the jar - class name mapping. Refer to these examples to learn about the structure.

Resolving licenses

cdxgen can automatically query public registries such as maven, npm, or nuget to resolve the package licenses. This is a time-consuming operation and is disabled by default. To enable, set the environment variable FETCH_LICENSE to true, as shown. Ensure that GITHUB_TOKEN is set or provided by built-in GITHUB_TOKEN in GitHub Actions, otherwise rate limiting might prevent license resolving.

export FETCH_LICENSE=true

Dependency Tree

cdxgen can retain the dependency tree under the dependencies attribute for a small number of supported package manifests. These are currently limited to:

package-lock.json
yarn.lock
pnpm-lock.yaml
Maven (pom.xml)
Gradle
Scala SBT
Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)
.NET (packages.lock.json, project.assets.json, paket.lock)
Go (go.mod)
PHP (composer.lock)
Ruby (Gemfile.lock)
Rust (Cargo.lock)

Environment variables

Variable	Description
CDXGEN_DEBUG_MODE	Set to `debug` to enable debug messages
GITHUB_TOKEN	Specify GitHub token to prevent traffic shaping while querying license and repo information
MVN_CMD	Set to override maven command
MVN_ARGS	Set to pass additional arguments such as profile or settings to maven
MAVEN_HOME	Specify maven home
MAVEN_CENTRAL_URL	Specify URL of Maven Central for metadata fetching (e.g. when private repo is used)
ANDROID_MAVEN_URL	Specify URL of Android Maven Repository for metadata fetching (e.g. when private repo is used)
BAZEL_TARGET	Bazel target to build. Default :all (Eg: //java-maven)
BAZEL_STRIP_MAVEN_PREFIX	Strip Maven group prefix (e.g. useful when private repo is used, defaults to `/maven2/`)
BAZEL_USE_ACTION_GRAPH	SBOM for specific Bazel target, uses `bazel aquery 'outputs(".*.jar", deps(<BAZEL_TARGET>))'` (defaults to `false`)
GRADLE_CACHE_DIR	Specify gradle cache directory. Useful for class name resolving
GRADLE_MULTI_PROJECT_MODE	Unused. Automatically handled
GRADLE_ARGS	Set to pass additional arguments such as profile or settings to gradle (all tasks). Eg: --configuration runtimeClassPath
GRADLE_ARGS_PROPERTIES	Set to pass additional arguments only to the `gradle properties` task, used for collecting metadata about the project
GRADLE_ARGS_DEPENDENCIES	Set to pass additional arguments only to the `gradle dependencies` task, used for listing actual project dependencies
GRADLE_HOME	Specify gradle home
GRADLE_CMD	Set to override gradle command
GRADLE_DEPENDENCY_TASK	By default cdxgen use the task "dependencies" to collect packages. Set to override the task name.
SBT_CACHE_DIR	Specify sbt cache directory. Useful for class name resolving
FETCH_LICENSE	Set this variable to `true` or `1` to fetch license information from the registry. npm and golang
SEARCH_MAVEN_ORG	If maven metadata is missing in jar file, a search is performed on search.maven.org. Set to `false` or `0` to disable search.
USE_GOSUM	Set to `true` or `1` to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod
CDXGEN_TIMEOUT_MS	Default timeout for known execution involving maven, gradle or sbt
CDXGEN_SERVER_TIMEOUT_MS	Default timeout in server mode
CDXGEN_MAX_BUFFER	Max buffer for stdout and stderr. Defaults to 100MB
CLJ_CMD	Set to override the clojure cli command
LEIN_CMD	Set to override the leiningen command
SBOM_SIGN_ALGORITHM	Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc
SBOM_SIGN_PRIVATE_KEY	Private key to use for signing
SBOM_SIGN_PUBLIC_KEY	Optional. Public key to include in the SBOM signature
CDX_MAVEN_PLUGIN	CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.11"
CDX_MAVEN_GOAL	CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom
CDX_MAVEN_INCLUDE_TEST_SCOPE	Whether test scoped dependencies should be included from Maven projects, Default: true
ASTGEN_IGNORE_DIRS	Comma separated list of directories to ignore while analyzing using babel. The environment variable is also used by atom and astgen.
ASTGEN_IGNORE_FILE_PATTERN	Ignore regex to use
PYPI_URL	Override pypi url. Default: https://pypi.org/pypi/

Plugins

cdxgen could be extended with external binary plugins to support more SBOM use cases. These are now installed as an optional dependency.

sudo npm install -g @cyclonedx/cdxgen-plugins-bin

Docker / OCI container support

docker type is automatically detected based on the presence of values such as sha256 or docker.io prefix etc in the path.

cdxgen odoo@sha256:4e1e147f0e6714e8f8c5806d2b484075b4076ca50490577cdf9162566086d15e -o /tmp/bom.json

You can also pass -t docker with repository names. Only the latest tag would be pulled if none was specified.

cdxgen shiftleft/scan-slim -o /tmp/bom.json -t docker

You can also pass the .tar file of a container image.

docker pull shiftleft/scan-slim
docker save -o /tmp/slim.tar shiftleft/scan-slim
podman save -q --format oci-archive -o /tmp/slim.tar shiftleft/scan-slim
cdxgen /tmp/slim.tar -o /tmp/bom.json -t docker

Podman in rootless mode

Setup podman in either rootless or remote mode

Do not forget to start the podman socket required for API access on Linux.

systemctl --user enable --now podman.socket
systemctl --user start podman.socket
podman system service -t 0 &

Generate OBOM for a live system

You can use the obom command to generate an OBOM for a live system or a VM for compliance and vulnerability management purposes. Windows and Linux operating systems are supported in this mode.

# obom is an alias for cdxgen -t os
obom
# cdxgen -t os

This feature is powered by osquery, which is installed along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the default queries. The process would take several minutes and result in an SBOM file with thousands of components of various types, such as operating-system, device-drivers, files, and data.

Generate Cryptography Bill of Materials (CBOM)

Use the cbom alias to generate a CBOM. This is currently supported only for Java projects.

cbom -t java
# cdxgen -t java --include-crypto -o bom.json .

Generating SaaSBOM and component evidences

See evinse mode in the advanced documentation.

BOM signing

cdxgen can sign the generated BOM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.

SBOM_SIGN_ALGORITHM: Algorithm. Example: RS512
SBOM_SIGN_PRIVATE_KEY: Location to the RSA private key
SBOM_SIGN_PUBLIC_KEY: Optional. Location to the RSA public key

To generate test public/private key pairs, you can run cdxgen by passing the argument --generate-key-and-sign. The generated json file would have an attribute called signature, which could be used for validation. jwt.io is a known site that could be used for such signature validation.

SBOM signing

Verifying the signature

Use the bundled cdx-verify command, which supports verifying a single signature added at the bom level.

npm install -g @cyclonedx/cdxgen
cdx-verify -i bom.json --public-key public.key

Custom verification tool (Node.js example)

There are many libraries available to validate JSON Web Tokens. Below is a javascript example.

# npm install jws
const jws = require("jws");
const fs = require("fs");
// Location of the SBOM json file
const bomJsonFile = "bom.json";
// Location of the public key
const publicKeyFile = "public.key";
const bomJson = JSON.parse(fs.readFileSync(bomJsonFile, "utf8"));
// Retrieve the signature
const bomSignature = bomJson.signature.value;
const validationResult = jws.verify(bomSignature, bomJson.signature.algorithm, fs.readFileSync(publicKeyFile, "utf8"));
if (validationResult) {
  console.log("Signature is valid!");
} else {
  console.log("SBOM signature is invalid :(");
}

Automatic services detection

cdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the services attribute in the generated SBOM. With evinse, additional services could be detected by parsing common annotations from the source code.

Conversion to SPDX format

Use the CycloneDX CLI tool for advanced use cases such as conversion, diff and merging.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

Integration as library

cdxgen is ESM only and could be imported and used with both deno and Node.js >= 20

Minimal example:

import { createBom, submitBom } from "npm:@cyclonedx/cdxgen@^9.0.1";

See the Deno Readme for detailed instructions.

import { createBom, submitBom } from "@cyclonedx/cdxgen";
// bomNSData would contain bomJson
const bomNSData = await createBom(filePath, options);
// Submission to dependency track server
const dbody = await submitBom(args, bomNSData.bomJson);

Node.js >= 20 permission model

Refer to the permissions document

Contributing

Follow the usual PR process, but before raising a PR, run the following commands.

# Generate types using jsdoc syntax
npm run gen-types
# Run biomejs formatter and linter with auto fix
npm run lint
# Run jest tests
npm test

If you are completely new to contributing to open-source projects, then look for issues with the labels "good first issue" or "help wanted".

Enterprise support

Enterprise support, including custom development and integration services, is available via AppThreat Ltd. Free community support is also available via Discord.