This script creates a valid CycloneDX Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for node.js, python, java and golang projects. Optionally, it can submit the generated BOM to dependency track or AppThreat server for analysis. CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.
Supported languages and package format
|java||maven (pom.xml), gradle (build.gradle)|
|python||requirements.txt, Pipfile.lock, poetry.lock|
- Apache maven is required for parsing pom.xml
- gradle or gradlew is required to parse gradle projects
- License information is not available for golang projects as of now. It might be possible to build this information by parsing all folders in the GOPATH and extracting license files. Any PR welcome :)
npm install -g @appthreat/cdxgen
$ cdxgen -hOptions:--version, -v Print version number [boolean]--output, -o Output file
cdxgen -o bom.xml
Integration with GitHub action
Use the GitHub action to automatically generate and upload bom to the server. Refer to
nodejs.yml in this repo for a working example.
Integration with Google CloudBuild
Use this custom builder and refer to the readme for instruction.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.