CycloneDX Generator

This script creates a valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for node.js, php, python, java and Go projects in XML and JSON format. CycloneDX 1.2 is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.

Supported languages and package format

Language	Package format
node.js	package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js
java	maven (pom.xml), gradle (build.gradle, .kts), scala (sbt)
php	composer.lock
python	setup.py, requirements.txt, Pipfile.lock, poetry.lock
go	go.sum, Gopkg.lock
ruby	Gemfile.lock
rust	Cargo.lock
.Net Framework	.csproj
.Net core	.csproj

NOTE:

Apache maven 3.x is required for parsing pom.xml
gradle or gradlew is required to parse gradle projects
sbt is required for parsing scala sbt projects

Automatic usage detection (Node.js)

There is a basic AST parser powered by babel-parser to detect packages that are imported and used in Node.js and TypeScript projects. Such imported packages would automatically have their scope property set to required. This attribute can be later used for various purposes. For example, dep-scan use this attribute to prioritize vulnerabilities.

Usage

Installing

npm install -g @appthreat/cdxgen

Getting Help

$ cdxgen -h
Options:
  --version, -v      Print version number                              [boolean]
  --output, -o       Output file for bom.xml or bom.json. Default console
  --type, -t         Project type
  --recurse, -r      Recurse mode suitable for mono-repos              [boolean]
  --server-url       Dependency track or AppThreat server url. Eg:
                     https://deptrack.appthreat.io
  --api-key          Dependency track or AppThreat server api key
  --project-name     Dependency track or AppThreat project name. Default use the
                     directory name
  --project-version  Dependency track or AppThreat project version. Default
                     master                                  [default: "master"]
  --project-id       Dependency track or AppThreat project id. Either provide
                     the id or the project name and version together
  -h                 Show help                                         [boolean]

Example

cdxgen -o bom.xml

Integration with GitHub action

Use the GitHub action to automatically generate and upload bom to the server. Refer to nodejs.yml in this repo for a working example.

Integration with Google CloudBuild

Use this custom builder and refer to the readme for instruction.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

jerryline / cdxgen