Building an SBOM file

Swift/Objective-C (cocoapods) Projects

For projects written in Swift or Objective-C, you can use cyclonedx-cocoapods. Command example for SBOM CycloneDX file generation:

cyclonedx-cocoapods --path /path/to/project --output /path/to/bom.xml

where --path is the path to your project, and --output is the path to the SBOM file.

As a result, you will get an .xml file. To convert it to .json, use cyclonedx-cli. Command example to convert CycloneDX-XML to CycloneDX-JSON:

cyclonedx convert --input-file /path/to/bom.xml --input-format xml --output-file /path/to/bom.json --output-format json

where: --input-file - path to the original file --input-format - original file format --output-file - path to the converted file --output-format - converted file format

Please notice, this generator does not create a transitive dependencies tree.

In most cases, cdxgen can be used to generate an SBOM file. Lower are some examples for different languages.

JavaScript Projects

cd /path/to/project
cdxgen -t node.js -o /path/to/sbom.json

where -t is the project’s type, and -o is the path to the SBOM file.

Java/Scala/Kotlin (Maven/Gradle) Projects

cd /path/to/project
cdxgen -t java -o /path/to/sbom.json

C/C++ (conan) Projects

cd /path/to/project
cdxgen -t c/c++ -o /path/to/sbom.json

Please notice, a transitive dependencies tree will be generated only if the dependencies are described in conan.lock. PHP (Composer) Projects

cd /path/to/project
cdxgen -t php -o /path/to/sbom.json

Swift (SwiftPM) Projects

cd /path/to/project
cdxgen -t swift -o /path/to/sbom.json

C# (.Net) Projects

cd /path/to/project
cdxgen -t .Net -o /path/to/sbom.json

Please notice, a transitive dependencies tree will be generated only in the presence of project.assets.json and packages.lock.json files.

Projects Written in Other Languages

To find an SBOM file generator for other programming languages, please see the link. All of the listed generators are compatible with SBOM CycloneDX.