Learn about our RFC process, Open RFC meetings & more.Join in the discussion! »

@appthreat/cdxgen

2.0.11 • Public • Published

CycloneDX Generator

This script creates a valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for node.js, php, python, java and Go projects in XML and JSON format. CycloneDX 1.2 is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.

Supported languages and package format

Language Package format
node.js package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js
java maven (pom.xml), gradle (build.gradle, .kts), scala (sbt)
php composer.lock
python setup.py, requirements.txt, Pipfile.lock, poetry.lock
go go.sum, Gopkg.lock
ruby Gemfile.lock
rust Cargo.lock
.Net core .csproj

NOTE:

  • Apache maven is required for parsing pom.xml
  • gradle or gradlew is required to parse gradle projects
  • sbt is required for parsing scala sbt projects

Automatic usage detection (Node.js)

There is a basic AST parser powered by babel-parser to detect packages that are imported and used in Node.js and TypeScript projects. Such imported packages would automatically have their scope property set to required. This attribute can be later used for various purposes. For example, dep-scan use this attribute to prioritize vulnerabilities.

Usage

Installing

npm install -g @appthreat/cdxgen

Getting Help

$ cdxgen -h
Options:
  --version, -v      Print version number                              [boolean]
  --output, -o       Output file for bom.xml or bom.json. Default console
  --type, -t         Project type
  --recurse, -r      Recurse mode suitable for mono-repos              [boolean]
  --server-url       Dependency track or AppThreat server url. Eg:
                     https://deptrack.appthreat.io
  --api-key          Dependency track or AppThreat server api key
  --project-name     Dependency track or AppThreat project name. Default use the
                     directory name
  --project-version  Dependency track or AppThreat project version. Default
                     master                                  [default: "master"]
  --project-id       Dependency track or AppThreat project id. Either provide
                     the id or the project name and version together
  -h                 Show help                                         [boolean]

Example

cdxgen -o bom.xml

Integration with GitHub action

Use the GitHub action to automatically generate and upload bom to the server. Refer to nodejs.yml in this repo for a working example.

Integration with Google CloudBuild

Use this custom builder and refer to the readme for instruction.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

Install

npm i @appthreat/cdxgen

DownloadsWeekly Downloads

248

Version

2.0.11

License

Apache-2.0

Unpacked Size

132 kB

Total Files

13

Last publish

Collaborators

  • avatar