{"id":13532845,"url":"https://github.com/CycloneDX/cdxgen","last_synced_at":"2025-04-01T21:31:16.838Z","repository":{"id":37451009,"uuid":"230924711","full_name":"CycloneDX/cdxgen","owner":"CycloneDX","description":"Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. GPT: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen","archived":false,"fork":false,"pushed_at":"2025-03-30T09:06:35.000Z","size":26852,"stargazers_count":659,"open_issues_count":375,"forks_count":176,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-03-30T10:19:38.539Z","etag":null,"topics":["bom","cbom","containers","cyclonedx","docker","oci","owasp","package-url","purl","saasbom","sbom","sca","software-bill-of-materials","supply-chain"],"latest_commit_sha":null,"homepage":"https://cyclonedx.github.io/cdxgen/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"CycloneDX/cyclonedx-node-module","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CycloneDX.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":"docs/SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"]}},"created_at":"2019-12-30T13:55:18.000Z","updated_at":"2025-03-30T09:06:38.000Z","dependencies_parsed_at":"2023-10-22T20:20:50.007Z","dependency_job_id":"699983db-2adf-40fc-b913-d2d90b2bf7a5","html_url":"https://github.com/CycloneDX/cdxgen","commit_stats":{"total_commits":1382,"total_committers":99,"mean_commits":13.95959595959596,"dds":0.5412445730824891,"last_synced_commit":"50a2d4f4c2ee2abfac91330b1884538e186b84b5"},"previous_names":["appthreat/cdxgen"],"tags_count":450,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcdxgen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcdxgen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcdxgen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcdxgen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CycloneDX","download_url":"https://codeload.github.com/CycloneDX/cdxgen/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246307933,"owners_count":20756478,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bom","cbom","containers","cyclonedx","docker","oci","owasp","package-url","purl","saasbom","sbom","sca","software-bill-of-materials","supply-chain"],"created_at":"2024-08-01T07:01:14.233Z","updated_at":"2025-04-01T21:31:11.817Z","avatar_url":"https://github.com/CycloneDX.png","language":"JavaScript","readme":"[![JSR][badge-jsr]][jsr-cdxgen]\n[![NPM][badge-npm]][npmjs-cdxgen]\n[![GitHub Releases][badge-github-releases]][github-releases]\n[![NPM Downloads][badge-npm-downloads]][npmjs-cdxgen]\n[![GitHub License][badge-github-license]][github-license]\n[![GitHub Contributors][badge-github-contributors]][github-contributors]\n[![SWH][badge-swh]][swh-cdxgen]\n\n# CycloneDX Generator (cdxgen)\n\n![cdxgen logo](./docs/_media/cdxgen.png)\n\ncdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Bill of Materials (BOM) containing an aggregate of all project dependencies in JSON format. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.4 - 1.6.\n\nSupported BOM formats:\n\n- Software (SBOM) - For many languages and container images.\n- Cryptography (CBOM) - For Java and Python projects.\n- Operations (OBOM) - For Linux container images and VMs running Linux or Windows operating systems.\n- Software-as-a-Service (SaaSBOM) - For Java, Python, JavaScript, TypeScript, and PHP projects.\n- Attestations (CDXA) - Generate SBOM with templates for multiple standards. Sign the BOM document at a granular level to improve authenticity.\n- Vulnerability Disclosure Report (VDR) - Use cdxgen with [OWASP depscan](https://github.com/owasp-dep-scan/dep-scan) to automate the generation of VDR at scale.\n\n## Why cdxgen?\n\nMost SBOM tools are like simple barcode scanners. For easy applications, they can parse a few package manifests and create a list of components only based on these files without any deep inspection. Further, a typical application might have several repos, components, and libraries with complex build requirements. Traditional techniques to generate an SBOM per language or package manifest either do not work in enterprise environments or don't provide the confidence required for both compliance and automated analysis. So we built cdxgen - the universal polyglot SBOM generator that is user-friendly, precise, and comprehensive!\n\n\u003cimg src=\"./docs/_media/why-cdxgen.jpg\" alt=\"why cdxgen\" width=\"256\"\u003e\n\nOur philosophy:\n\n- Explainability: Don't list, but explain with evidence.\n- Precision: Try using multiple techniques to improve precision, even if it takes extra time.\n- Personas: Cater to the needs of a range of personas such as security researchers, compliance auditors, developers, and SOC.\n- Lifecycle: Support BOM generation for various product lifecycles.\n\n## Documentation\n\nPlease visit our [documentation site][docs-homepage] for detailed usage, tutorials, and support documentation.\n\nSections include:\n\n- [Getting Started][docs-homepage]\n- [CLI Usage][docs-cli]\n- [Server Usage][docs-server]\n- [Supported Project Types][docs-project-types]\n- [Environment Variables][docs-env-vars]\n- [Advanced Usage][docs-advanced-usage]\n- [Permissions][docs-permissions]\n- [Support (Enterprise \u0026 Community)][docs-support]\n\n## Usage\n\n## Installing\n\n```shell\nnpm install -g @cyclonedx/cdxgen\n```\n\nIf you are a [Homebrew][homebrew-homepage] user, you can also install [cdxgen][homebrew-cdxgen] via:\n\n```shell\n$ brew install cdxgen\n```\n\nDeno and bun runtime can be used with limited support.\n\n```shell\ndeno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net -n cdxgen \"npm:@cyclonedx/cdxgen/cdxgen\"\n```\n\nYou can also use the cdxgen container image with node, deno, or bun runtime versions.\n\nThe default version uses Node.js 22\n\n```bash\ndocker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:master -r /app -o /app/bom.json\n```\n\nTo use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.\n\n```bash\ndocker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno:master -r /app -o /app/bom.json\n```\n\nFor the bun version, use `ghcr.io/cyclonedx/cdxgen-bun` as the image name.\n\n```bash\ndocker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun:master -r /app -o /app/bom.json\n```\n\nIn deno applications, cdxgen could be directly imported without any conversion. Please see the section on [integration as a library](#integration-as-library)\n\n```ts\nimport { createBom, submitBom } from \"npm:@cyclonedx/cdxgen@^10.9.6\";\n```\n\n## Getting Help\n\n```text\ncdxgen [command]\n\nCommands:\n cdxgen completion Generate bash/zsh completion\n\nOptions:\n -o, --output Output file. Default bom.json [default: \"bom.json\"]\n -t, --type Project type. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES for supp\n orted languages/platforms. [array]\n --exclude-type Project types to exclude. Please refer to https://cyclonedx.github.io/cdxgen/#/PROJECT_TY\n PES for supported languages/platforms.\n -r, --recurse Recurse mode suitable for mono-repos. Defaults to true. Pass --no-recurse to disable.\n [boolean] [default: true]\n -p, --print Print the SBOM as a table with tree. [boolean]\n -c, --resolve-class Resolve class names for packages. jars only for now. [boolean]\n --deep Perform deep searches for components. Useful while scanning C/C++ apps, live OS and oci i\n mages. [boolean]\n --server-url Dependency track url. Eg: https://deptrack.cyclonedx.io\n --api-key Dependency track api key\n --project-group Dependency track project group\n --project-name Dependency track project name. Default use the directory name\n --project-version Dependency track project version [string] [default: \"\"]\n --project-id Dependency track project id. Either provide the id or the project name and version togeth\n er [string]\n --parent-project-id Dependency track parent project id [string]\n --required-only Include only the packages with required scope on the SBOM. Would set compositions.aggrega\n te to incomplete unless --no-auto-compositions is passed. [boolean]\n --fail-on-error Fail if any dependency extractor fails. [boolean]\n --no-babel Do not use babel to perform usage analysis for JavaScript/TypeScript projects. [boolean]\n --generate-key-and-sign Generate an RSA public/private key pair and then sign the generated SBOM using JSON Web S\n ignatures. [boolean]\n --server Run cdxgen as a server [boolean]\n --server-host Listen address [default: \"127.0.0.1\"]\n --server-port Listen port [default: \"9090\"]\n --install-deps Install dependencies automatically for some projects. Defaults to true but disabled for c\n ontainers and oci scans. Use --no-install-deps to disable this feature. [boolean]\n --validate Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di\n sable. [boolean] [default: true]\n --evidence Generate SBOM with evidence for supported languages. [boolean] [default: false]\n --spec-version CycloneDX Specification version to use. Defaults to 1.5 [number] [default: 1.5]\n --filter Filter components containing this word in purl or component.properties.value. Multiple va\n lues allowed. [array]\n --only Include components only containing this word in purl. Useful to generate BOM with first p\n arty components alone. Multiple values allowed. [array]\n --author The person(s) who created the BOM. Set this value if you're intending the modify the BOM\n and claim authorship. [array] [default: \"OWASP Foundation\"]\n --profile BOM profile to use for generation. Default generic.\n [choices: \"appsec\", \"research\", \"operational\", \"threat-modeling\", \"license-compliance\", \"generic\"] [default: \"generic\"\n ]\n --exclude Additional glob pattern(s) to ignore [array]\n --include-formulation Generate formulation section with git metadata and build tools. Defaults to true. Invoke\n with --no-include-formulation to disable. [boolean] [default: true]\n --include-crypto Include crypto libraries as components. [boolean] [default: false]\n --standard The list of standards which may consist of regulations, industry or organizational-specif\n ic standards, maturity models, best practices, or any other requirements which can be eva\n luated against or attested to.\n [array] [choices: \"asvs-4.0.3\", \"bsimm-v13\", \"masvs-2.0.0\", \"nist_ssdf-1.1\", \"pcissc-secure-slc-1.1\", \"scvs-1.0.0\", \"s\n saf-DRAFT-2023-11\"]\n --auto-compositions Automatically set compositions when the BOM was filtered. Defaults to true\n [boolean] [default: true]\n -h, --help Show help [boolean]\n -v, --version Show version number [boolean]\n```\n\nAll boolean arguments accept `--no` prefix to toggle the behavior.\n\n## Example\n\nMinimal example.\n\n```shell\ncdxgen -o bom.json\n```\n\nFor a java project. cdxgen would automatically detect maven, gradle, or sbt and build bom accordingly\n\n```shell\ncdxgen -t java -o bom.json\n```\n\nTo print the SBOM as a table pass `-p` argument.\n\n```shell\ncdxgen -t java -o bom.json -p\n```\n\nTo recursively generate a single BOM for all languages pass `-r` argument.\n\n```shell\ncdxgen -r -o bom.json\n```\n\nThe default specification used by cdxgen is 1.5. To generate BOM for a different specification version, such as 1.6 or 1.4, pass the version number using the `--spec-version` argument.\n\n```shell\n# 1.6 is unsupported by most tools\ncdxgen -r -o bom.json --spec-version 1.6\n\n# 1.4 is supported by most tools\ncdxgen -r -o bom.json --spec-version 1.4\n```\n\nTo generate SBOM for C or Python, ensure Java \u003e= 21 is installed.\n\n```shell\n# Install java \u003e= 21\ncdxgen -t c -o bom.json\n```\n\nNOTE: cdxgen is known to freeze with Java 8 or 11, so ensure \u003e= 21 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.\n\n## Universal SBOM\n\nBy passing the type argument `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container, and Kubernetes manifests. The resulting SBOM could have over a thousand components, thus requiring additional triaging before use with traditional SCA tools.\n\n## SBOM server\n\nInvoke cdxgen with `--server` argument to run it in server mode. By default, it listens to port `9090`, which can be customized with the arguments `--server-host` and `--server-port`.\n\n```shell\ncdxgen --server\n```\n\nOr use the container image.\n\n```bash\ndocker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server --server-host 0.0.0.0\n```\n\nUse curl or your favorite tool to pass arguments to the `/sbom` route.\n\n### Server arguments\n\nArguments can be passed either via the query string or as a JSON body. Please refer to [Server Usage][docs-server]\n\n### Health endpoint\n\nUse the /health endpoint to check if the SBOM server is up and running.\n\n```shell\ncurl \"http://127.0.0.1:9090/health\"\n```\n\n### Scanning a local path\n\n```shell\ncurl \"http://127.0.0.1:9090/sbom?path=/Volumes/Work/sandbox/vulnerable-aws-koa-app\u0026multiProject=true\u0026type=js\"\n```\n\n### Scanning a git repo\n\n```shell\ncurl \"http://127.0.0.1:9090/sbom?url=https://github.com/HooliCorp/vulnerable-aws-koa-app.git\u0026multiProject=true\u0026type=js\"\n```\n\nIf you need to pass credentials to authenticate.\n\n```shell\ncurl \"http://127.0.0.1:9090/sbom?url=https://\u003caccess_token\u003e@github.com/some/repo.git\u0026multiProject=true\u0026type=js\"\ncurl \"http://127.0.0.1:9090/sbom?url=https://\u003cusername\u003e:\u003cpassword\u003e@bitbucket.org/some/repo.git\u0026multiProject=true\u0026type=js\"\n```\n\nYou can POST the arguments.\n\n```bash\ncurl -H \"Content-Type: application/json\" http://localhost:9090/sbom -XPOST -d $'{\"url\": \"https://github.com/HooliCorp/vulnerable-aws-koa-app.git\", \"type\": \"nodejs\", \"multiProject\": \"true\"}'\n```\n\n### Docker compose\n\n```shell\ngit clone https://github.com/cyclonedx/cdxgen.git\ndocker compose up\n```\n\n## War file support\n\ncdxgen can generate a BOM file from a given war file.\n\n```shell\n# cdxgen -t java app.war\ncdxgen app.war\n```\n\n## Resolving class names\n\nSometimes, it is necessary to resolve class names contained in jar files. By passing an optional argument `--resolve-class`, it is possible to get cdxgen to create a separate mapping file with the jar name (including the version) as the key and class names list as a value.\n\n```shell\ncdxgen -t java --resolve-class -o bom.json\n```\n\nThis would create a bom.json.map file with the jar - class name mapping. Refer to [these](test/data/bom-maven.json.map) [examples](test/data/bom-gradle.json.map) to learn about the structure.\n\n## Resolving licenses\n\ncdxgen can automatically query public registries such as maven, npm, or nuget to resolve the package licenses. This is a time-consuming operation and is disabled by default. To enable, set the environment variable `FETCH_LICENSE` to `true`, as shown. Ensure that `GITHUB_TOKEN` is set or provided by [built-in GITHUB_TOKEN in GitHub Actions][github-rate-limit], otherwise rate limiting might prevent license resolving.\n\n```bash\nexport FETCH_LICENSE=true\n```\n\n## Dependency Tree\n\ncdxgen can retain the dependency tree under the `dependencies` attribute for a small number of supported package manifests. These are currently limited to:\n\n- package-lock.json\n- yarn.lock\n- pnpm-lock.yaml\n- Maven (pom.xml)\n- Gradle\n- Scala SBT\n- Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)\n- .NET (packages.lock.json, project.assets.json, paket.lock, .nuspec/.nupkg)\n- Go (go.mod)\n- PHP (composer.lock)\n- Ruby (Gemfile.lock)\n- Rust (Cargo.lock)\n\n## Plugins\n\ncdxgen could be extended with external binary plugins to support more SBOM use cases. These are now installed as an optional dependency.\n\n```shell\nsudo npm install -g @cyclonedx/cdxgen-plugins-bin\n```\n\n## Docker / OCI container support\n\n`docker` type is automatically detected based on the presence of values such as `sha256` or `docker.io` prefix etc in the path.\n\n```shell\ncdxgen odoo@sha256:4e1e147f0e6714e8f8c5806d2b484075b4076ca50490577cdf9162566086d15e -o /tmp/bom.json\n```\n\nYou can also pass `-t docker` with repository names. Only the `latest` tag would be pulled if none was specified.\n\n```shell\ncdxgen shiftleft/scan-slim -o /tmp/bom.json -t docker\n```\n\nYou can also pass the .tar file of a container image.\n\n```shell\ndocker pull shiftleft/scan-slim\ndocker save -o /tmp/slim.tar shiftleft/scan-slim\npodman save -q --format oci-archive -o /tmp/slim.tar shiftleft/scan-slim\ncdxgen /tmp/slim.tar -o /tmp/bom.json -t docker\n```\n\n### Podman in rootless mode\n\nSetup podman in either [rootless][podman-github-rootless] or [remote][podman-github-remote] mode\n\nDo not forget to start the podman socket required for API access on Linux.\n\n```shell\nsystemctl --user enable --now podman.socket\nsystemctl --user start podman.socket\npodman system service -t 0 \u0026\n```\n\n## Generate OBOM for a live system\n\nYou can use the `obom` command to generate an OBOM for a live system or a VM for compliance and vulnerability management purposes. Windows and Linux operating systems are supported in this mode.\n\n```shell\n# obom is an alias for cdxgen -t os\nobom\n# cdxgen -t os\n```\n\nThis feature is powered by osquery, which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](data/queries.json). The process would take several minutes and result in an SBOM file with thousands of components of various types, such as operating-system, device-drivers, files, and data.\n\n## Generate Cryptography Bill of Materials (CBOM)\n\nUse the `cbom` alias to generate a CBOM. This is currently supported only for Java projects.\n\n```shell\ncbom -t java\n# cdxgen -t java --include-crypto -o bom.json .\n```\n\n## Generating SaaSBOM and component evidences\n\nSee [evinse mode](./ADVANCED.md) in the advanced documentation.\n\n## BOM signing\n\ncdxgen can sign the generated BOM json file to increase authenticity and non-repudiation capabilities. To enable this, set the following environment variables.\n\n- SBOM_SIGN_ALGORITHM: Algorithm. Example: RS512\n- SBOM_SIGN_PRIVATE_KEY: Location to the RSA private key\n- SBOM_SIGN_PUBLIC_KEY: Optional. Location to the RSA public key\n\nTo generate test public/private key pairs, you can run cdxgen by passing the argument `--generate-key-and-sign`. The generated json file would have an attribute called `signature`, which could be used for validation. [jwt.io][jwt-homepage] is a known site that could be used for such signature validation.\n\n![SBOM signing](./docs/_media/sbom-sign.jpg)\n\n### Verifying the signature\n\nUse the bundled `cdx-verify` command, which supports verifying a single signature added at the bom level.\n\n```shell\nnpm install -g @cyclonedx/cdxgen\ncdx-verify -i bom.json --public-key public.key\n```\n\n### Custom verification tool (Node.js example)\n\nThere are many [libraries][jwt-libraries] available to validate JSON Web Tokens. Below is a javascript example.\n\n```js\n# npm install jws\nconst jws = require(\"jws\");\nconst fs = require(\"fs\");\n// Location of the SBOM json file\nconst bomJsonFile = \"bom.json\";\n// Location of the public key\nconst publicKeyFile = \"public.key\";\nconst bomJson = JSON.parse(fs.readFileSync(bomJsonFile, \"utf8\"));\n// Retrieve the signature\nconst bomSignature = bomJson.signature.value;\nconst validationResult = jws.verify(bomSignature, bomJson.signature.algorithm, fs.readFileSync(publicKeyFile, \"utf8\"));\nif (validationResult) {\n console.log(\"Signature is valid!\");\n} else {\n console.log(\"SBOM signature is invalid :(\");\n}\n```\n\n## Automatic usage detection\n\nFor node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBOM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.\n\nThis attribute can be later used for various purposes. For example, [dep-scan][depscan-github] uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.\n\nWith the argument `--required-only`, you can limit the SBOM only to include packages with the scope \"required\", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.\n\nFor go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).\n\n## Automatic services detection\n\ncdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the `services` attribute in the generated SBOM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code.\n\n## Conversion to SPDX format\n\nUse the [CycloneDX CLI][cyclonedx-cli-github] tool for advanced use cases such as conversion, diff and merging.\n\n## Including .NET Global Assembly Cache dependencies in the results\n\nGlobal Assembly Cache (GAC) dependencies must be made available in the build output of the project for cdxgen in order for it to inspect and include in the results. A cdxgen scan with the `--deep` flag will look for additional dependencies in the form of dll files. A simple way to have the dotnet build copy the GAC dependencies into the build directory is to place the file `Directory.Build.props` into the root of the project and ensure the contents include the following:\n\n```\n\u003cProject xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\"\u003e\n\u003cItemDefinitionGroup\u003e\n \u003cReference\u003e\n \u003cPrivate\u003eTrue\u003c/Private\u003e\n \u003c/Reference\u003e\n\u003c/ItemDefinitionGroup\u003e\n\u003c/Project\u003e\n```\n\n## License\n\nPermission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE][github-license] file for the full license.\n\n## Integration as library\n\ncdxgen is [ESM only](https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c) and could be imported and used with both deno and Node.js \u003e= 20\n\nMinimal example:\n\n```ts\nimport { createBom, submitBom } from \"npm:@cyclonedx/cdxgen@^9.0.1\";\n```\n\nSee the [Deno Readme](./contrib/deno/README.md) for detailed instructions.\n\n```javascript\nimport { createBom, submitBom } from \"@cyclonedx/cdxgen\";\n// bomNSData would contain bomJson\nconst bomNSData = await createBom(filePath, options);\n// Submission to dependency track server\nconst dbody = await submitBom(args, bomNSData.bomJson);\n```\n\n## Contributing\n\nPlease check out our [contribute to CycloneDX/cdxgen documentation][github-contribute] if you are interested in helping.\n\nBefore raising a PR, please run the following commands.\n\n```bash\ncorepack enable pnpm\npnpm install\n# Generate types using jsdoc syntax\npnpm run gen-types\n# Run biomejs formatter and linter with auto fix\npnpm run lint\n# Run jest tests\npnpm test\n```\n\n\u003c!-- LINK LABELS --\u003e\n\u003c!-- Badges --\u003e\n\n[badge-github-contributors]: https://img.shields.io/github/contributors/cyclonedx/cdxgen\n[badge-github-license]: https://img.shields.io/github/license/cyclonedx/cdxgen\n[badge-github-releases]: https://img.shields.io/github/v/release/cyclonedx/cdxgen\n[badge-jsr]: https://img.shields.io/jsr/v/%40cyclonedx/cdxgen\n[badge-npm]: https://img.shields.io/npm/v/%40cyclonedx%2Fcdxgen\n[badge-npm-downloads]: https://img.shields.io/npm/dy/%40cyclonedx%2Fcdxgen\n[badge-swh]: https://archive.softwareheritage.org/badge/origin/https://github.com/CycloneDX/cdxgen/\n\n\u003c!-- cdxgen github project --\u003e\n\n[github-contribute]: https://github.com/CycloneDX/cdxgen/contribute\n[github-contributors]: https://github.com/CycloneDX/cdxgen/graphs/contributors\n[github-issues]: https://github.com/CycloneDX/cdxgen/issues\n[github-license]: https://github.com/cyclonedx/cdxgen/blob/master/LICENSE\n[github-releases]: https://github.com/CycloneDX/cdxgen/releases\n\n\u003c!-- cdxgen documentation site --\u003e\n\n[docs-homepage]: https://cyclonedx.github.io/cdxgen\n[docs-advanced-usage]: https://cyclonedx.github.io/cdxgen/#/ADVANCED\n[docs-cli]: https://cyclonedx.github.io/cdxgen/#/CLI\n[docs-env-vars]: https://cyclonedx.github.io/cdxgen/#/ENV\n[docs-permissions]: https://cyclonedx.github.io/cdxgen/#/PERMISSIONS\n[docs-project-types]: https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES\n[docs-server]: https://cyclonedx.github.io/cdxgen/#/SERVER\n[docs-support]: https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES\n\n\u003c!-- web links--\u003e\n\n[appthreat-homepage]: https://www.appthreat.com\n[cyclonedx-homepage]: https://cyclonedx.org\n[cyclonedx-cli-github]: https://github.com/CycloneDX/cyclonedx-cli\n[depscan-github]: https://github.com/cyclonedx/dep-scan\n[github-rate-limit]: https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api#primary-rate-limit-for-github_token-in-github-actions\n[homebrew-homepage]: https://brew.sh\n[homebrew-cdxgen]: https://formulae.brew.sh/formula/cdxgen\n[jsr-cdxgen]: https://jsr.io/@cyclonedx/cdxgen\n[jwt-homepage]: https://jwt.io\n[jwt-libraries]: https://jwt.io/libraries\n[librariesio]: https://libraries.io/npm/@cyclonedx%2Fcdxgen\n[npmjs-cdxgen]: https://www.npmjs.com/package/@cyclonedx/cdxgen\n[podman-github-rootless]: https://github.com/containers/podman/blob/master/docs/tutorials/rootless_tutorial.md\n[podman-github-remote]: https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md\n[swh-cdxgen]: https://archive.softwareheritage.org/browse/origin/?origin_url=https://github.com/CycloneDX/cdxgen\n","funding_links":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"],"categories":["OSS and Dependency management","JavaScript","Official projects","docker","SBOM Generation"],"sub_categories":["Tools (and [classification](https://ntia.gov/sites/default/files/publications/ntia_sbom_tooling_taxonomy-2021mar30_0.pdf))"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fcdxgen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCycloneDX%2Fcdxgen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fcdxgen/lists"}