Building an SBOM file

Swift/Objective-C (cocoapods) Projects

For projects written in Swift or Objective-C, you can use cyclonedx-cocoapods. Command example for SBOM CycloneDX file generation:

cyclonedx-cocoapods --path /path/to/project --output /path/to/bom.xml

where --path is the path to your project, and --output is the path to the SBOM file.

As a result, you will get an .xml file. To convert it to .json, use cyclonedx-cli. Command example to convert CycloneDX-XML to CycloneDX-JSON:

cyclonedx convert --input-file /path/to/bom.xml --input-format xml --output-file /path/to/bom.json --output-format json

where: --input-file - path to the original file --input-format - original file format --output-file - path to the converted file --output-format - converted file format

Please notice, this generator does not create a transitive dependencies tree.

In most cases, cdxgen can be used to generate a SBOM file. Lower are some examples for different languages.

JavaScript Projects

cd /path/to/project
cdxgen -t node.js -o /path/to/sbom.json

where -t is the project’s type, and -o is the path to the SBOM file.

Java/Scala/Kotlin (Maven/Gradle) Projects

cd /path/to/project
cdxgen -t java -o /path/to/sbom.json

C/C++ (conan) Projects

cd /path/to/project
cdxgen -t c/c++ -o /path/to/sbom.json

Please notice, a transitive dependencies tree will be generated only if the dependencies are described in conan.lock. PHP (Composer) Projects

cd /path/to/project
cdxgen -t php -o /path/to/sbom.json

Swift (SwiftPM) Projects

cd /path/to/project
cdxgen -t swift -o /path/to/sbom.json

C# (.Net) Projects

cd /path/to/project
cdxgen -t .Net -o /path/to/sbom.json

Please notice, a transitive dependencies tree will be generated only in the presence of project.assets.json and packages.lock.json files.

Projects Written in Other Languages

To find a SBOM file generator for other languages, please see the link. All of the listed gererators are SBOM CycloneDX compatible.