You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+22-11Lines changed: 22 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,24 +10,36 @@
10
10
11
11
12
12
13
-
cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies for C/C++, Node.js, PHP, Python, Ruby, Rust, Java, .Net, Dart, Haskell, Elixir, and Go projects in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.6.
13
+
cdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.6.
14
14
15
-
When used with plugins:
15
+
Supported BOM formats:
16
16
17
-
- cdxgen could generate an OBOM for Linux docker images and even VMs running Linux or Windows operating systems
18
-
- cdxgen also includes an evinse tool to generate component evidence, CBOM, and SaaSBOM for some languages
17
+
- Software (SBOM) - For many languages and container images.
18
+
- Cryptography (CBOM) - For Java and Python projects.
19
+
- Operations (OBOM) - For Linux container images and VMs running Linux or Windows operating systems.
20
+
- Software-as-a-Service (SaaSBOM) - For Java, Python, JavaScript, TypeScript, and PHP projects.
21
+
- Attestations (CDXA) - Generate SBOM with templates for multiple standards. Sign the BOM document at a granular level to improve authenticity.
22
+
- Vulnerability Disclosure Report (VDR) - Use cdxgen with [OWASP depscan](https://github.com/owasp-dep-scan/dep-scan) to automate the generation of VDR at scale.
19
23
20
24
## Why cdxgen?
21
25
22
26
Most SBOM tools are like simple barcode scanners. For easy applications, they can parse a few package manifests and create a list of components only based on these files without any deep inspection. Further, a typical application might have several repos, components, and libraries with complex build requirements. Traditional techniques to generate an SBOM per language or package manifest either do not work in enterprise environments or don't provide the confidence required for both compliance and automated analysis. So we built cdxgen - the universal polyglot SBOM generator that is user-friendly, precise, and comprehensive!
- Explainability: Don't list, but explain with evidence.
33
+
- Precision: Try using multiple techniques to improve precision, even if it takes extra time.
34
+
- Personas: Cater to the needs of a range of personas such as security researchers, compliance auditors, developers, and SOC.
35
+
- Lifecycle: Support BOM generation for various product lifecycles.
36
+
26
37
## Documentation
27
38
28
-
Please visit our [documentation site][docs-homepage] for detailed usage, tutorials and support documentation.
39
+
Please visit our [documentation site][docs-homepage] for detailed usage, tutorials, and support documentation.
29
40
30
41
Sections include:
42
+
31
43
-[Getting Started][docs-homepage]
32
44
-[CLI Usage][docs-cli]
33
45
-[Server Usage][docs-server]
@@ -37,7 +49,6 @@ Sections include:
37
49
-[Permissions][docs-permissions]
38
50
-[Support (Enterprise & Community)][docs-support]
39
51
40
-
41
52
### Automatic usage detection
42
53
43
54
For node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBOM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.
@@ -472,8 +483,6 @@ Use the [CycloneDX CLI][cyclonedx-cli-github] tool for advanced use cases such a
472
483
473
484
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE][github-license] file for the full license.
474
485
475
-
476
-
477
486
## Integration as library
478
487
479
488
cdxgen is [ESM only](https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c) and could be imported and used with both deno and Node.js >= 20
0 commit comments