This script creates a valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for node.js, php, python, java and Go projects in XML and JSON format. CycloneDX 1.2 is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.
Supported languages and package format
|node.js||package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js|
|java||maven (pom.xml), gradle (build.gradle, .kts), scala (sbt)|
|python||setup.py, requirements.txt, Pipfile.lock, poetry.lock|
- Apache maven is required for parsing pom.xml
- gradle or gradlew is required to parse gradle projects
- sbt is required for parsing scala sbt projects
Automatic usage detection (Node.js)
There is a basic AST parser powered by babel-parser to detect packages that are imported and used in Node.js and TypeScript projects. Such imported packages would automatically have their
scope property set to
required. This attribute can be later used for various purposes. For example, dep-scan use this attribute to prioritize vulnerabilities.
npm install -g @appthreat/cdxgen
$ cdxgen -hOptions:--version, -v Print version number [boolean]--output, -o Output file
cdxgen -o bom.xml
Integration with GitHub action
Use the GitHub action to automatically generate and upload bom to the server. Refer to
nodejs.yml in this repo for a working example.
Integration with Google CloudBuild
Use this custom builder and refer to the readme for instruction.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.