Have ideas to improve npm?Join in the discussion! »


    2.2.19 • Public • Published

    CycloneDX Generator

    This script creates a valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for node.js, php, python, java and Go projects in XML and JSON format. CycloneDX 1.2 is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.

    Supported languages and package format

    Language Package format
    node.js package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js
    java maven (pom.xml [1]), gradle (build.gradle, .kts), scala (sbt)
    php composer.lock
    python setup.py, requirements.txt [2], Pipfile.lock, poetry.lock
    go go.mod, go.sum, Gopkg.lock
    ruby Gemfile.lock
    rust Cargo.lock
    .Net Framework .csproj, packages.config
    .Net core .csproj, packages.config


    • Apache maven 3.x is required for parsing pom.xml
    • gradle or gradlew is required to parse gradle projects
    • sbt is required for parsing scala sbt projects. Only scala 2.10 + sbt 0.13.6+ and 2.12 + sbt 1.0+ is supported for now.
      • Alternatively, create a lock file using sbt-dependency-lock plugin


    [1] - For multi-module application, the BoM file could include components that may not be included in the packaged war or ear file. [2] - Use pip freeze to improve the accuracy for requirements.txt based parsing.

    Automatic usage detection (Node.js)

    There is a basic AST parser powered by babel-parser to detect packages that are imported and used in Node.js and TypeScript projects. Such imported packages would automatically have their scope property set to required. This attribute can be later used for various purposes. For example, dep-scan use this attribute to prioritize vulnerabilities.



    npm install -g @appthreat/cdxgen

    Getting Help

    $ cdxgen -h
      --version, -v        Print version number                            [boolean]
      --output, -o         Output file for bom.xml or bom.json. Default console
      --type, -t           Project type
      --recurse, -r        Recurse mode suitable for mono-repos            [boolean]
      --resolve-class, -c  Resolve class names for packages. jars only for now.
      --server-url         Dependency track or AppThreat server url. Eg:
      --api-key            Dependency track or AppThreat server api key
      --project-name       Dependency track or AppThreat project name. Default use
                           the directory name
      --project-version    Dependency track or AppThreat project version. Default
                           master                                [default: "master"]
      --project-id         Dependency track or AppThreat project id. Either provide
                           the id or the project name and version together
      -h                   Show help                                       [boolean]


    Minimal example.

    cdxgen -o bom.xml


    cdxgen would always produce bom in both xml and json format as per CycloneDX 1.2 specification. json is the recommended format.

    For a java project. This would automatically detect maven, gradle or sbt and build bom accordingly

    cdxgen -t java -o bom.xml

    War file support

    cdxgen can generate a BoM file from a given war file.

    # cdxgen -t java app.war
    cdxgen app.war

    Resolving class names

    Sometimes it is necessary to resolve class names contained in jar files. By passing an optional argument --resolve-class, it is possible to get cdxgen create a separate mapping file with the jar name (including the version) as the key and class names list as a value.

    cdxgen -t java --resolve-class -o bom.json

    This would create a bom.json.map file with the jar - class name mapping. Refer to these examples to learn about the structure.

    Environment variables

    Variable Description
    SCAN_DEBUG_MODE Set to debug to enable debug messages
    GITHUB_TOKEN Specify GitHub token to prevent traffic shaping while querying license and repo information
    MVN_CMD Set to override maven command
    MVN_ARGS Set to pass additional arguments such as profile or settings to maven
    MAVEN_HOME Specify maven home
    GRADLE_CACHE_DIR Specify gradle cache directory. Useful for class name resolving
    SBT_CACHE_DIR Specify sbt cache directory. Useful for class name resolving
    FETCH_LICENSE Set to true to fetch license information from the registry. npm and golang only
    USE_GOSUM Set to true to generate BOMs for golang projects using go.sum as the dependency source of truth, instead of go.mod
    CDXGEN_TIMEOUT_MS Default timeout for known execution involving maven, gradle or sbt

    Integration with GitHub action

    Use the GitHub action to automatically generate and upload bom to the server. Refer to nodejs.yml in this repo for a working example.

    Integration with Google CloudBuild

    Use this custom builder and refer to the readme for instruction.


    Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.


    npm i @appthreat/cdxgen

    DownloadsWeekly Downloads






    Unpacked Size

    183 kB

    Total Files


    Last publish


    • avatar