{"id":13619526,"url":"https://github.com/CycloneDX/cyclonedx-cli","last_synced_at":"2025-04-14T16:31:41.779Z","repository":{"id":38642242,"uuid":"306314377","full_name":"CycloneDX/cyclonedx-cli","owner":"CycloneDX","description":"CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.","archived":false,"fork":false,"pushed_at":"2024-11-24T00:14:57.000Z","size":652,"stargazers_count":347,"open_issues_count":120,"forks_count":63,"subscribers_count":14,"default_branch":"main","last_synced_at":"2025-04-08T11:09:54.623Z","etag":null,"topics":["bill-of-materials","bom","cyclonedx","hacktoberfest","mbom","obom","owasp","package-url","purl","saasbom","sbom","sbom-generator","software-bill-of-materials","spdx","vex"],"latest_commit_sha":null,"homepage":"https://cyclonedx.org/","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CycloneDX.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"]}},"created_at":"2020-10-22T11:25:26.000Z","updated_at":"2025-04-03T06:29:30.000Z","dependencies_parsed_at":"2024-05-11T21:31:58.341Z","dependency_job_id":"58f81af1-f7aa-4241-997d-b93e1f32be20","html_url":"https://github.com/CycloneDX/cyclonedx-cli","commit_stats":{"total_commits":283,"total_committers":21,"mean_commits":"13.476190476190476","dds":0.607773851590106,"last_synced_commit":"f934c99826339cb8dbb83b439eb2c465fb253fb3"},"previous_names":[],"tags_count":49,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CycloneDX","download_url":"https://codeload.github.com/CycloneDX/cyclonedx-cli/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248916669,"owners_count":21182847,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bill-of-materials","bom","cyclonedx","hacktoberfest","mbom","obom","owasp","package-url","purl","saasbom","sbom","sbom-generator","software-bill-of-materials","spdx","vex"],"created_at":"2024-08-01T21:00:43.813Z","updated_at":"2025-04-14T16:31:41.770Z","avatar_url":"https://github.com/CycloneDX.png","language":"C#","readme":"[![Docker Image](https://img.shields.io/badge/docker-image-brightgreen?style=flat\u0026logo=docker)](https://hub.docker.com/r/cyclonedx/cyclonedx-cli)\n[![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)](LICENSE)\n[![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)\n[![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack\u0026labelColor=393939)](https://cyclonedx.org/slack/invite)\n[![Group Discussion](https://img.shields.io/badge/discussion-groups.io-blue.svg)](https://groups.io/g/CycloneDX)\n[![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social\u0026label=Follow)](https://twitter.com/CycloneDX_Spec)\n\n```\n   ______           __                 ____ _  __    ________    ____\n  / ____/_  _______/ /___  ____  ___  / __ \\ |/ /   / ____/ /   /  _/\n / /   / / / / ___/ / __ \\/ __ \\/ _ \\/ / / /   /   / /   / /    / /\n/ /___/ /_/ / /__/ / /_/ / / / /  __/ /_/ /   |   / /___/ /____/ /\n\\____/\\__, /\\___/_/\\____/_/ /_/\\___/_____/_/|_|   \\____/_____/___/\n     /____/\n\nUsage:\n  cyclonedx [command] [options]\n\nOptions:\n  --version         Show version information\n  -?, -h, --help    Show help and usage information\n\nCommands:\n  add                         Add information to a BOM (currently supports files)\n  analyze                     Analyze a BOM file\n  convert                     Convert between different BOM formats\n  diff \u003cfrom-file\u003e \u003cto-file\u003e  Generate a BOM diff\n  keygen                      Generates an RSA public/private key pair for BOM signing\n  merge                       Merge two or more BOMs\n  sign                        Sign a BOM or file\n  validate                    Validate a BOM\n  verify                      Verify signatures in a BOM\n```\n\nThe CycloneDX CLI tool currently supports BOM analysis, modification, diffing, merging, format conversion, signing and verification.\n\nConversion is supported between CycloneDX XML, JSON, Protobuf, CSV, and SPDX JSON v2.2.\n\nBinaries can be downloaded from the [releases page](https://github.com/CycloneDX/cyclonedx-cli/releases).\n\nNote: The CycloneDX CLI tool is built for automation use cases. Any commands that have the `--input-file` option also support feeding input from stdin. Likewise, any commands that have the `--output-file` option support output to stdout. However, you will need to supply the input/output formats.\n\nFor example:  \n`cat bom.json | cyclonedx-cli convert --input-format json --output-format xml \u003e bom.xml`\n\n# Commands\n\n## Add Command\n\n### Add File Subcommand\n\n```\nfiles\n  Add files to a BOM\n\nUsage:\n  cyclonedx add files [options]\n\nOptions:\n  --input-file \u003cinput-file\u003e                       Input BOM filename.\n  --no-input                                      Use this option to indicate that there is no input BOM.\n  --output-file \u003coutput-file\u003e                     Output BOM filename, will write to stdout if no value provided.\n  --input-format \u003cautodetect|json|protobuf|xml\u003e   Specify input file format.\n  --output-format \u003cautodetect|json|protobuf|xml\u003e  Specify output file format.\n  --base-path \u003cbase-path\u003e                         Base path for directory to process (defaults to current working directory if omitted).\n  --include \u003cinclude\u003e                             Apache Ant style path and file patterns to specify what to include (defaults to all files, separate patterns with a space).\n  --exclude \u003cexclude\u003e                             Apache Ant style path and file patterns to specify what to exclude (defaults to none, separate patterns with a space).\n```\n\n#### Examples\n\nGenerating a source code BOM, excluding Git repository directory:  \n`cyclonedx-cli add files --no-input --output-format json --exclude /.git/**`\n\nAdding build output files, from `bin` directory, to existing BOM:  \n`cyclonedx-cli add files --input-file bom.json --output-format json --base-path bin`\n\n## Analyze Command\n\n```\nanalyze\n  Analyze a BOM file\n\nUsage:\n  cyclonedx analyze [options]\n\nOptions:\n  --input-file \u003cinput-file\u003e                      Input BOM filename, will read from stdin if no value provided.\n  --input-format \u003cautodetect|json|protobuf|xml\u003e  Specify input file format.\n  --output-format \u003cjson|text\u003e                    Specify output format (defaults to text).\n  --multiple-component-versions                  Report components that have multiple versions in use.\n```\n\n### Examples\n\nReporting on components that are included multiple times with different versions:  \n`cyclonedx-cli analyze --input-file sbom.xml --multiple-component-versions`\n\n## Convert Command\n\n```\nconvert\n  Convert between different BOM formats\n\nUsage:\n  cyclonedx convert [options]\n\nOptions:\n  --input-file \u003cinput-file\u003e                                    Input BOM filename, will read from stdin if no value provided.\n  --output-file \u003coutput-file\u003e                                  Output BOM filename, will write to stdout if no value provided.\n  --input-format \u003cautodetect|csv|json|protobuf|spdxjson|xml\u003e   Specify input file format.\n  --output-format \u003cautodetect|csv|json|protobuf|spdxjson|xml\u003e  Specify output file format.\n  --output-version \u003cv1_0|v1_1|v1_2|v1_3|v1_4|v1_5|v1_6\u003e        Specify output BOM specification version. (ignored for CSV and SPDX formats)  \n```\n\n### Examples\n\nConverting from XML to JSON format:  \n`cyclonedx-cli convert --input-file sbom.xml --output-file sbom.json`\n\nConverting from XML to JSON format and piping output to additional tools:  \n`cyclonedx-cli convert --input-file sbom.xml --output-format json | grep \"somthing\"`\n\n### CSV Format\n\nThe CSV format is a limited representation of the list of components in a BOM.\n\nThe intention is to provide a simple way for users to produce and consume BOMs\nfor simple use cases. Including simple data migration use cases.\n\nThe only required fields are the component `name` and `version` fields. Others\ncan be left blank or the columns omitted.\n\n[example.csv](example.csv)\n\n### SPDX Format\n\nConverting between SPDX and CycloneDX formats can result in the loss of some\ninformation. The conversion functionality is provided by the\n`CycloneDX.Spdx.Interop` library, which is part of the CycloneDX .NET library\nproject.\n\nFor more details on what information is lost refer to the\n[CycloneDX .NET Library project page](https://github.com/CycloneDX/cyclonedx-dotnet-library).\n\n## Diff Command\n\n```\ndiff\n  Generate a BOM diff\n\nUsage:\n  cyclonedx diff \u003cfrom-file\u003e \u003cto-file\u003e [options]\n\nArguments:\n  \u003cfrom-file\u003e  From BOM filename.\n  \u003cto-file\u003e    To BOM filename.\n\nOptions:\n  --from-format \u003cautodetect|json|protobuf|xml\u003e  Specify from file format.\n  --to-format \u003cautodetect|json|protobuf|xml\u003e    Specify to file format.\n  --output-format \u003cjson|text\u003e                   Specify output format (defaults to text).\n  --component-versions                          Report component versions that have been added, removed or modified.\n```\n\n### Examples\n\nReporting on components with version changes:  \n`cyclonedx-cli diff sbom-from.xml sbom-to.xml --component-versions`\n\n## Keygen Command\n\n```\nkeygen\n  Generates an RSA public/private key pair for BOM signing\n\nUsage:\n  cyclonedx keygen [options]\n\nOptions:\n  --private-key-file \u003cprivate-key-file\u003e  Filename for generated private key file (defaults to \"private.key\")\n  --public-key-file \u003cpublic-key-file\u003e    Filename for generated public key file (defaults to \"public.key\")\n```\n\n## Merge Command\n\n```\nmerge\n  Merge two or more BOMs\n\nUsage:\n  cyclonedx merge [options]\n\nOptions:\n  --input-files \u003cinput-files\u003e                           Input BOM filenames (separate filenames with a space).\n  --output-file \u003coutput-file\u003e                           Output BOM filename, will write to stdout if no value provided.\n  --input-format \u003cautodetect|json|protobuf|xml\u003e         Specify input file format.\n  --output-format \u003cautodetect|json|protobuf|xml\u003e        Specify output file format.\n  --output-version \u003cv1_0|v1_1|v1_2|v1_3|v1_4|v1_5|v1_6\u003e Specify output BOM specification version.\n  --hierarchical                                        Perform a hierarchical merge.\n  --group \u003cgroup\u003e                                       Provide the group of software the merged BOM describes.\n  --name \u003cname\u003e                                         Provide the name of software the merged BOM describes (required for hierarchical merging).\n  --version \u003cversion\u003e                                   Provide the version of software the merged BOM describes (required for hierarchical merging).\n```\n\nNote: To perform a hierarchical merge all BOMs need the subject of the BOM\ndescribed in the metadata component element.\n\n### Examples\n\nMerge two XML formatted BOMs:  \n`cyclonedx-cli merge --input-files sbom1.xml sbom2.xml --output-file sbom_all.xml`\n\nMerging two BOMs and piping output to additional tools:  \n`cyclonedx-cli merge --input-files sbom1.xml sbom2.xml --output-format json | grep \"something\"`\n\n## Sign Command\n\nSign a BOM or file\n\n### Sign Bom Subcommand\n\n```\nbom\n  Sign the entire BOM document\n\nUsage:\n  cyclonedx sign bom \u003cbom-file\u003e [options]\n\nArguments:\n  \u003cbom-file\u003e  BOM filename\n\nOptions:\n  --key-file \u003ckey-file\u003e  Signing key filename (RSA private key in PEM format, defaults to \"private.key\")\n```\n\n### Sign File Subcommand\n\n```\nfile\n  Sign arbitrary files and generate a PKCS1 RSA SHA256 signature file\n\nUsage:\n  cyclonedx sign file \u003cfile\u003e [options]\n\nArguments:\n  \u003cfile\u003e  Filename of the file the signature will be created for\n\nOptions:\n  --key-file \u003ckey-file\u003e              Signing key filename (RSA private key in PEM format, defaults to \"private.key\")\n  --signature-file \u003csignature-file\u003e  Filename of the generated signature file (defaults to the filename with \".sig\" appended)\n```\n\n## Validate Command\n\n```\nvalidate\n  Validate a BOM\n\nUsage:\n  cyclonedx validate [options]\n\nOptions:\n  --input-file \u003cinput-file\u003e                             Input BOM filename, will read from stdin if no value provided.\n  --input-format \u003cautodetect|json|xml\u003e                  Specify input file format.\n  --input-version \u003cv1_0|v1_1|v1_2|v1_3|v1_4|v1_5|v1_6\u003e  Specify input file specification version (defaults to v1.6)\n  --fail-on-errors                                      Fail on validation errors (return a non-zero exit code)\n```\n\n### Examples\n\nValidate BOM and return non-zero exit code (handy for automatically \"breaking\" a build, etc)  \n`cyclonedx-cli validate --input-file sbom.xml --fail-on-errors`\n\n## Verify Command\n\nVerify signatures for BOMs and files\n\n### Verify All Subcommand\n\n```\nall\n  Verify all signatures in a BOM\n\nUsage:\n  cyclonedx verify all \u003cbom-file\u003e [options]\n\nArguments:\n  \u003cbom-file\u003e  BOM filename\n\nOptions:\n  --key-file \u003ckey-file\u003e  Public key filename (RSA public key in PEM format, defaults to \"public.key\")\n```\n\n### Verify File Subcommand\n\n```\nfile\n  Verifies a PKCS1 RSA SHA256 signature file for an arbitrary file\n\nUsage:\n  cyclonedx verify file \u003cfile\u003e [options]\n\nArguments:\n  \u003cfile\u003e  File the signature file is for\n\nOptions:\n  --key-file \u003ckey-file\u003e              Public key filename (RSA public key in PEM format, defaults to \"public.key\")\n  --signature-file \u003csignature-file\u003e  Signature file to be verified (defaults to the filename with \".sig\" appended)\n```\n\n# Docker Image\n\nThe CycloneDX CLI tool can also be run using docker `docker run cyclonedx/cyclonedx-cli`.\n\n# Homebrew\n\nFor Linux and MacOS, the CLI can be installed via the [CycloneDX Homebrew tap](https://github.com/CycloneDX/homebrew-cyclonedx):\n\n```shell\nbrew install cyclonedx/cyclonedx/cyclonedx-cli\n```\n\n# Supported Platforms\n\nOfficially supported builds are available for these platforms:\n\n- Windows x64 (win-x64)\n- Linux x64 (linux-x64)\n- Linux musl x64 (linux-musl-x64, includes Alpine Linux)\n- MacOS x64 (osx-x64)\n\nCommunity supported builds are available for these platforms:\n\n- Windows x86 (win-x86)\n- Windows ARM (win-arm)\n- Windows ARM x64 (win-arm64)\n- Linux ARM (linux-arm)\n- Linux ARM x64 (linux-arm64)\n- MacOS ARM x64 (osx-arm64)\n\n.NET Core runtime dependencies are required.\n\nFor Windows these should be preinstalled.\n\nFor Ubuntu these are libc6 libgcc1 libgssapi-krb5-2 libicu66 libssl1.1 libstdc++6 zlib1g.\n\n# Using gron for adhoc searching and analysis\n\n_gron transforms JSON into discrete assignments to make it easier to grep for what you want and see the absolute 'path' to it._\n\nFor convenience, gron is included in the CycloneDX CLI Docker image.\n\nExample usage that lists all component names and versions\n\n```\n$ gron bom-1.2.json | grep -E \"(components\\[[[:digit:]]*\\].name)|(components\\[[[:digit:]]*\\].version)\"\n\njson.components[0].name = \"tomcat-catalina\";\njson.components[0].version = \"9.0.14\";\njson.components[1].name = \"mylibrary\";\njson.components[1].version = \"1.0.0\";\n```\n\nOr the same using an XML format BOM\n\n```\n$ cyclonedx convert --input-file bom.xml --output-format json | gron | grep -E \"(components\\[[[:digit:]]*\\].name)|(components\\[[[:digit:]]*\\].version)\"\n\njson.components[0].name = \"tomcat-catalina\";\njson.components[0].version = \"9.0.14\";\njson.components[1].name = \"mylibrary\";\njson.components[1].version = \"1.0.0\";\n```\n\nFor more details on gron usage refer to the [gron project page](https://github.com/TomNomNom/gron).\n\nFor more details on grep usage refer to the [grep man page](https://www.man7.org/linux/man-pages/man1/grep.1.html).\n\n## License\n\nPermission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE] file for the full license.\n\n[License]: https://github.com/CycloneDX/cyclonedx-cli/blob/main/LICENSE\n\n## Contributing\n\nPull requests are welcome. But please read the\n[CycloneDX contributing guidelines](https://github.com/CycloneDX/.github/blob/master/CONTRIBUTING.md) first.\n\nTo build and test the solution locally you should have .NET 6\ninstalled. Standard commands like `dotnet build` and `dotnet test` work.\n\nIt is generally expected that pull requests will include relevant tests.\nTests are automatically run on Windows, MacOS and Linux for every pull request.\nBuild warnings will break the build.\n\nPlease let us know if you are having trouble debugging a test that is failing\nfor a platform that you don't have access to.\n","funding_links":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"],"categories":["C# #","Official projects","SBOM Generation"],"sub_categories":["Tools (and [classification](https://ntia.gov/sites/default/files/publications/ntia_sbom_tooling_taxonomy-2021mar30_0.pdf))"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fcyclonedx-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCycloneDX%2Fcyclonedx-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fcyclonedx-cli/lists"}