{"id":33964366,"url":"https://github.com/cdxgen/cdxgen","last_synced_at":"2026-05-23T00:13:43.258Z","repository":{"id":37451009,"uuid":"230924711","full_name":"cdxgen/cdxgen","owner":"cdxgen","description":"Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server","archived":false,"fork":false,"pushed_at":"2026-04-22T08:02:48.000Z","size":42807,"stargazers_count":951,"open_issues_count":433,"forks_count":241,"subscribers_count":11,"default_branch":"master","last_synced_at":"2026-04-22T08:36:34.402Z","etag":null,"topics":["bom","cbom","containers","cyclonedx","docker","oci","owasp","package-url","purl","saasbom","sbom","sca","software-bill-of-materials","supply-chain"],"latest_commit_sha":null,"homepage":"https://cdxgen.github.io/cdxgen/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"CycloneDX/cyclonedx-node-module","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cdxgen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":"docs/SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"custom":"https://owasp.org/donate/?reponame=www-project-cdxgen\u0026title=OWASP+cdxgen"}},"created_at":"2019-12-30T13:55:18.000Z","updated_at":"2026-04-22T08:02:53.000Z","dependencies_parsed_at":"2023-10-22T20:20:50.007Z","dependency_job_id":"346597df-d41e-4cd3-b3ea-6ea9a662957a","html_url":"https://github.com/cdxgen/cdxgen","commit_stats":{"total_commits":1382,"total_committers":99,"mean_commits":13.95959595959596,"dds":0.5412445730824891,"last_synced_commit":"50a2d4f4c2ee2abfac91330b1884538e186b84b5"},"previous_names":["appthreat/cdxgen","cdxgen/cdxgen","cyclonedx/cdxgen"],"tags_count":482,"template":false,"template_full_name":null,"purl":"pkg:github/cdxgen/cdxgen","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdxgen%2Fcdxgen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdxgen%2Fcdxgen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdxgen%2Fcdxgen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdxgen%2Fcdxgen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cdxgen","download_url":"https://codeload.github.com/cdxgen/cdxgen/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cdxgen%2Fcdxgen/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32169657,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-23T02:19:40.750Z","status":"ssl_error","status_checked_at":"2026-04-23T02:17:55.737Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bom","cbom","containers","cyclonedx","docker","oci","owasp","package-url","purl","saasbom","sbom","sca","software-bill-of-materials","supply-chain"],"created_at":"2025-12-12T23:00:20.807Z","updated_at":"2026-04-29T04:08:40.910Z","avatar_url":"https://github.com/cdxgen.png","language":"JavaScript","funding_links":["https://owasp.org/donate/?reponame=www-project-cdxgen\u0026title=OWASP+cdxgen"],"categories":["OSS and Dependency management"],"sub_categories":[],"readme":"[![SBOM](https://img.shields.io/badge/SBOM-with_%E2%9D%A4%EF%B8%8F_by_cdxgen-FF753D)](https://github.com/cdxgen/cdxgen)\n[![AI-DECLARATION: pair](https://img.shields.io/badge/䷼%20AI--DECLARATION-pair-ffedd5?labelColor=ffedd5)](./AI-DECLARATION.md)\n[![JSR][badge-jsr]][jsr-cdxgen]\n[![NPM][badge-npm]][npmjs-cdxgen]\n[![GitHub Releases][badge-github-releases]][github-releases]\n[![NPM Downloads][badge-npm-downloads]][npmjs-cdxgen]\n[![GitHub License][badge-github-license]][github-license]\n[![GitHub Contributors][badge-github-contributors]][github-contributors]\n[![SWH][badge-swh]][swh-cdxgen]\n\n# CycloneDX Generator (cdxgen)\n\n\u003cimg src=\"./docs/_media/cdxgen.png\" width=\"200\" height=\"auto\" /\u003e\n\ncdxgen is a CLI tool, library, [REPL](./ADVANCED.md), and server to create, validate, sign, and verify software BOMs. It generates CycloneDX JSON BOMs and supports SPDX 3.0.1 JSON-LD export. CycloneDX is a full-stack BOM specification that is easily created, human and machine-readable, and simple to parse. The tool supports CycloneDX specification versions from 1.5 - 1.7.\n\nSupported BOM formats:\n\n- Software (SBOM) - For many languages and container images.\n- Cryptography (CBOM) - For Java and Python projects.\n- Operations (OBOM) - For Linux container images and VMs running Linux or Windows operating systems.\n- Software-as-a-Service (SaaSBOM) - For Java, Python, JavaScript, TypeScript, and PHP projects.\n- Attestations (CDXA) - Generate SBOM with templates for multiple standards. Sign the BOM document at a granular level to improve authenticity.\n- Vulnerability Disclosure Report (VDR) - Use cdxgen with [OWASP depscan](https://github.com/owasp-dep-scan/dep-scan) to automate the generation of VDR at scale.\n\nSupported output document formats:\n\n- CycloneDX JSON (primary native format)\n- SPDX 3.0.1 JSON-LD (`cdxgen --format spdx` or `cdx-convert`)\n\n## Choose your path\n\n| Persona | What cdxgen helps you do | First command | Read next |\n| -------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |\n| **Developers** | Generate a CycloneDX BOM from a local repo, git URL, purl, or container image | `cdxgen -o bom.json .` | [CLI Usage][docs-cli], [Supported Project Types][docs-project-types] |\n| **AppSec** | Enrich BOMs with evidence, run BOM audit rules, and feed downstream security workflows | `cdxgen -o bom.json --profile appsec --evidence --bom-audit .` | [BOM Audit](docs/BOM_AUDIT.md), [Threat Model](docs/THREAT_MODEL.md) |\n| **SOC analysts** | Build OBOM inventories for live hosts and triage runtime posture issues | `obom -o obom.json --deep --bom-audit --bom-audit-categories obom-runtime` | [OBOM lessons](docs/OBOM_LESSONS.md), [Server Usage][docs-server] |\n| **Compliance teams** | Validate BOM quality, check SCVS/CRA posture, and export SPDX deliverables | `cdx-validate -i bom.json --benchmark scvs-l2,cra` | [cdx-validate](docs/CDX_VALIDATE.md), [cdx-convert](docs/CDX_CONVERT.md), [Permissions][docs-permissions] |\n\n### Role-based quick starts\n\n#### For developers\n\n- Start with a local path, git URL, or purl and generate a BOM in one command.\n- Use [Supported Project Types][docs-project-types] to confirm ecosystem coverage before wiring cdxgen into CI.\n\n#### For AppSec\n\n- Use `--profile appsec`, `--evidence`, and `--bom-audit` when you want richer security context.\n- Combine generation with [BOM Audit](docs/BOM_AUDIT.md), [cdx-validate](docs/CDX_VALIDATE.md), signing, and verification for a fuller secure-SBOM workflow.\n\n#### For SOC analysts\n\n- Use `obom` for live-system and runtime inventory on Linux and Windows hosts.\n- Focus on [OBOM lessons](docs/OBOM_LESSONS.md) when you need host triage, persistence review, LOLBAS-backed Windows startup analysis, or incident-response evidence.\n\n#### For compliance and platform governance\n\n- Use `cdx-validate` to assess structural and compliance posture, then `cdx-convert` when SPDX output is required.\n- Review [Permissions][docs-permissions] and hardened-environment guidance before adopting cdxgen in controlled pipelines.\n\n## Why cdxgen?\n\nMost SBOM tools are like simple barcode scanners. For easy applications, they can parse a few package manifests and create a list of components only based on these files without any deep inspection. Further, a typical application might have several repos, components, and libraries with complex build requirements. Traditional techniques to generate an SBOM per language or package manifest either do not work in enterprise environments or don't provide the confidence required for both compliance and automated analysis. So we built cdxgen - the universal polyglot SBOM generator that is user-friendly, precise, and comprehensive!\n\n**Our philosophy:**\n\n- _Explainability:_ Don't list, but explain with evidence.\n- _Precision:_ Try using multiple techniques to improve precision, even if it takes extra time.\n- _Personas:_ Cater to the needs of a range of personas such as security researchers, compliance auditors, developers, and SOC.\n- _Machine Learning:_ Optimize the generated data for Machine Learning (ML) purposes by considering the various model properties.\n- _Safety:_ Execute external build tools and handle untrusted inputs defensively, with hardened defaults and a [secure mode](docs/PERMISSIONS.md) for sensitive environments.\n\n## Documentation\n\nPlease visit our [GPT app][cdxgen-gpt] or the [documentation site][docs-homepage] for detailed usage, tutorials, and support documentation.\n\nSections include:\n\n- [Getting Started][docs-homepage]\n- [CLI Usage][docs-cli]\n- [Server Usage][docs-server]\n- [Hands-on Lessons](docs/LESSON8.md)\n- [Container Escape \u0026 Privilege Lesson](docs/LESSON9.md)\n- [Supported Project Types][docs-project-types]\n- [Environment Variables][docs-env-vars]\n- [Advanced Usage][docs-advanced-usage]\n- [Permissions][docs-permissions]\n- [Security Policy](SECURITY.md)\n- [Threat Model](docs/THREAT_MODEL.md)\n- [Support (Enterprise \u0026 Community)][docs-support]\n\n## Usage\n\n## Installing\n\nInstall the npm package when you want the full multi-command CLI surface.\n\n```shell\nnpm install -g @cyclonedx/cdxgen\n```\n\nInstalling `@cyclonedx/cdxgen` exposes these commands:\n\n| Command | Purpose | Standalone GitHub release binary |\n| --------------- | ---------------------------------------------------------------------------------------------------- | -------------------------------- |\n| `cdxgen` | Generate CycloneDX / SPDX BOMs from source, images, binaries, git URLs, or purls | yes |\n| `cdx-audit` | Prioritize existing BOM dependencies for upstream supply-chain review using explainable risk signals | yes |\n| `cdx-convert` | Convert CycloneDX JSON to SPDX 3.0.1 JSON-LD | yes |\n| `cdx-sign` | Sign BOMs with JSF signatures | yes |\n| `cdx-validate` | Validate BOMs and benchmark posture | yes |\n| `cdx-verify` | Verify BOM signatures | yes |\n| `cdxi` | Open the interactive REPL | no |\n| `evinse` | Add evidence, reachability, and service context | no |\n| `cbom` | Alias for CBOM-oriented `cdxgen` defaults | use `cdxgen` |\n| `obom` | Alias for `cdxgen -t os` | use `cdxgen` |\n| `saasbom` | Alias for SaaSBOM-oriented `cdxgen` defaults | use `cdxgen` |\n| `spdxgen` | Alias for `cdxgen --format spdx` | use `cdxgen` |\n| `cdxgen-secure` | Alias for hardened `cdxgen` defaults | use `cdxgen` |\n\nStandalone GitHub release binaries are published for `cdxgen`, `cdxgen-slim`, `cdx-audit`, `cdx-convert`, `cdx-sign`, `cdx-validate`, and `cdx-verify`.\n\n`cdx-audit` is designed to accelerate upstream dependency review with explainable, evidence-backed risk prioritization. It complements provenance, reproducibility, and manual investigation rather than replacing them.\n\nTo run cdxgen without installing (hotloading), use the [pnpm dlx](https://pnpm.io/cli/dlx) command.\n\n```shell\ncorepack pnpm dlx @cyclonedx/cdxgen --help\n```\n\nYou can call any packaged command the same way:\n\n```shell\ncorepack pnpm dlx --package=@cyclonedx/cdxgen cdx-audit --help\ncorepack pnpm dlx --package=@cyclonedx/cdxgen cdx-convert --help\ncorepack pnpm dlx --package=@cyclonedx/cdxgen cdx-validate --help\ncorepack pnpm dlx --package=@cyclonedx/cdxgen cdx-sign --help\ncorepack pnpm dlx --package=@cyclonedx/cdxgen cdx-verify --help\ncorepack pnpm dlx --package=@cyclonedx/cdxgen evinse --help\ncorepack pnpm dlx --package=@cyclonedx/cdxgen cdxi --help\n```\n\nIf you are a [Homebrew][homebrew-homepage] user, you can also install [cdxgen][homebrew-cdxgen] via:\n\n```shell\n$ brew install cdxgen\n```\n\nIf you are a [Winget][winget-homepage] user on windows, you can also install cdxgen via:\n\n```shell\nwinget install cdxgen\n```\n\n### Standalone GitHub release binaries\n\nIf you want a single-file executable instead of an npm installation, download a published release asset and verify its hash before executing it.\n\nCommon asset names:\n\n- `cdxgen-linux-amd64`\n- `cdxgen-linux-amd64-musl`\n- `cdxgen-darwin-arm64`\n- `cdxgen-windows-amd64.exe`\n- `cdx-audit-linux-amd64`\n- `cdx-audit-darwin-arm64`\n- `cdx-audit-windows-amd64.exe`\n- `cdx-convert-*`, `cdx-sign-*`, `cdx-validate-*`, `cdx-verify-*`\n\n#### Linux\n\n```bash\nVERSION=\"v12.3.0\"\nASSET=\"cdx-audit-linux-amd64\"\nBASE_URL=\"https://github.com/cdxgen/cdxgen/releases/download/${VERSION}\"\n\ncurl -fsSLO \"${BASE_URL}/${ASSET}\"\ncurl -fsSLO \"${BASE_URL}/${ASSET}.sha256\"\nsha256sum -c \"${ASSET}.sha256\"\nchmod +x \"${ASSET}\"\n./\"${ASSET}\" --help\n```\n\n#### macOS\n\n```bash\nVERSION=\"v12.3.0\"\nASSET=\"cdx-audit-darwin-arm64\"\nBASE_URL=\"https://github.com/cdxgen/cdxgen/releases/download/${VERSION}\"\n\ncurl -fsSLO \"${BASE_URL}/${ASSET}\"\ncurl -fsSLO \"${BASE_URL}/${ASSET}.sha256\"\nshasum -a 256 -c \"${ASSET}.sha256\"\nchmod +x \"${ASSET}\"\n./\"${ASSET}\" --help\n```\n\n#### Windows (PowerShell)\n\n```powershell\n$Version = \"v12.3.0\"\n$Asset = \"cdx-audit-windows-amd64.exe\"\n$BaseUrl = \"https://github.com/cdxgen/cdxgen/releases/download/$Version\"\n\nInvoke-WebRequest -Uri \"$BaseUrl/$Asset\" -OutFile $Asset\nInvoke-WebRequest -Uri \"$BaseUrl/$Asset.sha256\" -OutFile \"$Asset.sha256\"\n$Expected = (Get-Content \"$Asset.sha256\" | Select-Object -First 1).Trim().Split()[0]\n$Actual = (Get-FileHash $Asset -Algorithm SHA256).Hash.ToLowerInvariant()\nif ($Actual -ne $Expected.ToLowerInvariant()) {\n throw \"SHA256 mismatch for $Asset\"\n}\n.\\$Asset --help\n```\n\n#### GitHub Actions with the GitHub CLI\n\n```yaml\npermissions:\n contents: read\n\nsteps:\n - name: Download cdx-audit release binary\n env:\n GH_TOKEN: ${{ github.token }}\n run: |\n gh release download v12.3.0 \\\n --repo cdxgen/cdxgen \\\n --pattern 'cdx-audit-linux-amd64' \\\n --pattern 'cdx-audit-linux-amd64.sha256'\n sha256sum -c cdx-audit-linux-amd64.sha256\n chmod +x cdx-audit-linux-amd64\n ./cdx-audit-linux-amd64 --help\n```\n\nDeno and bun runtime can be used with limited support.\n\n```shell\ndeno install --allow-read --allow-env --allow-run --allow-sys=uid,systemMemoryInfo,gid,homedir --allow-write --allow-net -n cdxgen \"npm:@cyclonedx/cdxgen/cdxgen\"\n```\n\nYou can also use the cdxgen container image with node, deno, or bun runtime versions.\n\nThe default version uses Node.js 23\n\n```bash\ndocker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen:master -r /app -o /app/bom.json\n```\n\nTo use the deno version, use `ghcr.io/cyclonedx/cdxgen-deno` as the image name.\n\n```bash\ndocker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-deno:master -r /app -o /app/bom.json\n```\n\nFor the bun version, use `ghcr.io/cyclonedx/cdxgen-bun` as the image name.\n\n```bash\ndocker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen-bun:master -r /app -o /app/bom.json\n```\n\nIn deno applications, cdxgen could be directly imported without any conversion.\n\n```ts\nimport { createBom, submitBom } from \"npm:@cyclonedx/cdxgen@^12.2.1\";\n```\n\n## Common workflows\n\n| Goal | First command | Read next |\n| ---------------------------------------------------------- | -------------------------------------------------------------------------- | ------------------------------------ |\n| Generate a BOM from the current repository | `cdxgen -o bom.json .` | [CLI Usage][docs-cli] |\n| Generate a BOM from a git URL | `cdxgen -o bom.json https://github.com/example/project.git` | [CLI Usage][docs-cli] |\n| Generate a BOM from a package URL | `cdxgen -o bom.json \"pkg:npm/lodash@4.17.21\"` | [CLI Usage][docs-cli] |\n| Scan a container image | `cdxgen ghcr.io/owasp-dep-scan/depscan:nightly -o bom.json -t docker` | [Server Usage][docs-server] |\n| Audit a generated BOM for built-in supply-chain findings | `cdxgen -o bom.json --bom-audit .` | [BOM Audit](docs/BOM_AUDIT.md) |\n| Prioritize an existing BOM for upstream risk-driven review | `cdx-audit --bom bom.json` | [cdx-audit](docs/CDX_AUDIT.md) |\n| Validate a BOM against structural and compliance checks | `cdx-validate -i bom.json` | [cdx-validate](docs/CDX_VALIDATE.md) |\n| Convert CycloneDX JSON to SPDX JSON-LD | `cdx-convert -i bom.json -o bom.spdx.json` | [cdx-convert](docs/CDX_CONVERT.md) |\n| Generate an OBOM for live-system triage | `obom -o obom.json --deep --bom-audit --bom-audit-categories obom-runtime` | [OBOM lessons](docs/OBOM_LESSONS.md) |\n\nFor the full option reference, use `cdxgen --help` or visit [CLI Usage][docs-cli].\n\nCompanion commands also expose built-in help:\n\n- `cbom --help`\n- `cdx-audit --help`\n- `cdx-validate --help`\n- `cdx-convert --help`\n- `cdx-sign --help`\n- `cdx-verify --help`\n- `cdxgen-secure --help`\n- `cdxi --help`\n- `evinse --help`\n- `obom --help`\n- `saasbom --help`\n- `spdxgen --help`\n\n## Example\n\nMinimal example.\n\n```shell\ncdxgen -o bom.json\n```\n\nThe primary positional input can be:\n\n- a local filesystem path (default: current directory)\n- a git URL that cdxgen clones before scanning\n- a package URL (purl) that cdxgen resolves to source and then scans\n\nCommon source input examples:\n\n```shell\n# Local path\ncdxgen -o bom.json .\n\n# Git URL\ncdxgen -t java -o bom.json --git-branch main https://github.com/HooliCorp/java-sec-code.git\n\n# Package URL (purl)\ncdxgen -t js -o bom.json \"pkg:npm/lodash@4.17.21\"\n```\n\nFor a java project. cdxgen would automatically detect maven, gradle, or sbt and build bom accordingly\n\n```shell\ncdxgen -t java -o bom.json\n```\n\nTo print the SBOM as a table pass `-p` argument.\n\n```shell\ncdxgen -t java -o bom.json -p\n```\n\nTo recursively generate a single BOM for all languages pass `-r` argument.\n\n```shell\ncdxgen -r -o bom.json\n```\n\nTo generate an SBOM directly from a git URL:\n\n```shell\ncdxgen -t java -o bom.json --git-branch main https://github.com/HooliCorp/java-sec-code.git\n```\n\nThis works anywhere cdxgen expects its primary source input, so a git URL can be used in place of `.` or any other local path.\n\nTo generate an SBOM from a package URL (purl), cdxgen resolves registry metadata to a repository URL, clones it, and scans it:\n\n```shell\ncdxgen -t js -o bom.json \"pkg:npm/lodash@4.17.21\"\n```\n\nSupported purl source types: `npm`, `pypi`, `gem`, `cargo`, `pub`, `github`, `bitbucket`, `maven` (version required), `composer`, and `generic` (with `vcs_url` or `download_url` qualifier).\n\n\u003e **Warning:** Repository URLs resolved from registries may be inaccurate or malicious. Review resolved sources before trusting generated output.\n\nThe default specification used by cdxgen is 1.7. To generate BOM for a different specification version, such as 1.5 or 1.6, pass the version number using the `--spec-version` argument.\n\n```shell\n# 1.6 is supported by most tools\ncdxgen -r -o bom.json --spec-version 1.6\n```\n\nTo generate SBOM for C or Python, ensure Java \u003e= 21 is installed.\n\n```shell\n# Install java \u003e= 21\ncdxgen -t c -o bom.json\n```\n\nNOTE: cdxgen is known to freeze with Java 8 or 11, so ensure \u003e= 21 is installed and JAVA_HOME environment variable is configured correctly. If in doubt, use the cdxgen container image.\n\n## Universal SBOM\n\nBy passing the type argument `-t universal`, cdxgen could be forced to opportunistically collect as many components and services as possible by scanning all package, container, and Kubernetes manifests. The resulting SBOM could have over a thousand components, thus requiring additional triaging before use with traditional SCA tools.\n\n## SBOM server\n\nInvoke cdxgen with `--server` argument to run it in server mode. By default, it listens to port `9090`, which can be customized with the arguments `--server-host` and `--server-port`.\n\n```shell\ncdxgen --server\n```\n\nOr use the container image.\n\n```bash\ndocker run --rm -v /tmp:/tmp -p 9090:9090 -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app --server --server-host 0.0.0.0\n```\n\nUse curl or your favorite tool to pass arguments to the `/sbom` route.\n\n### Server arguments\n\nArguments can be passed either via the query string or as a JSON body. Please refer to [Server Usage][docs-server]\n\n### Health endpoint\n\nUse the /health endpoint to check if the SBOM server is up and running.\n\n```shell\ncurl \"http://127.0.0.1:9090/health\"\n```\n\n### Scanning a local path\n\n```shell\ncurl \"http://127.0.0.1:9090/sbom?path=/Volumes/Work/sandbox/vulnerable-aws-koa-app\u0026multiProject=true\u0026type=js\"\n```\n\n### Scanning a git repo\n\n```shell\ncurl \"http://127.0.0.1:9090/sbom?url=https://github.com/HooliCorp/vulnerable-aws-koa-app.git\u0026multiProject=true\u0026type=js\"\n```\n\nIf you need to pass credentials to authenticate.\n\n```shell\ncurl \"http://127.0.0.1:9090/sbom?url=https://\u003caccess_token\u003e@github.com/some/repo.git\u0026multiProject=true\u0026type=js\"\ncurl \"http://127.0.0.1:9090/sbom?url=https://\u003cusername\u003e:\u003cpassword\u003e@bitbucket.org/some/repo.git\u0026multiProject=true\u0026type=js\"\n```\n\nYou can POST the arguments.\n\n```bash\ncurl -H \"Content-Type: application/json\" http://localhost:9090/sbom -XPOST -d $'{\"url\": \"https://github.com/HooliCorp/vulnerable-aws-koa-app.git\", \"type\": \"nodejs\", \"multiProject\": \"true\"}'\n```\n\n### Docker compose\n\n```shell\ngit clone https://github.com/cdxgen/cdxgen.git\ndocker compose up\n```\n\n## War file support\n\ncdxgen can generate a BOM file from a given war file.\n\n```shell\n# cdxgen -t java app.war\ncdxgen app.war\n```\n\n## Resolving class names\n\nSometimes, it is necessary to resolve class names contained in jar files. By passing an optional argument `--resolve-class`, it is possible to get cdxgen to create a separate mapping file with the jar name (including the version) as the key and class names list as a value.\n\n```shell\ncdxgen -t java --resolve-class -o bom.json\n```\n\nThis would create a bom.json.map file with the jar - class name mapping. Refer to [these](test/data/bom-maven.json.map) [examples](test/data/bom-gradle.json.map) to learn about the structure.\n\n## Resolving licenses\n\ncdxgen can automatically query public registries such as maven, npm, or nuget to resolve the package licenses. This is a time-consuming operation and is disabled by default. To enable, set the environment variable `FETCH_LICENSE` to `true`, as shown. Ensure that `GITHUB_TOKEN` is set or provided by [built-in GITHUB_TOKEN in GitHub Actions][github-rate-limit], otherwise rate limiting might prevent license resolving.\n\n```bash\nexport FETCH_LICENSE=true\n```\n\n## Dependency Tree\n\ncdxgen can retain the dependency tree under the `dependencies` attribute for a small number of supported package manifests. These are currently limited to:\n\n- package-lock.json\n- yarn.lock\n- pnpm-lock.yaml\n- Maven (pom.xml)\n- Gradle\n- Scala SBT\n- Python (requirements.txt, setup.py, pyproject.toml, poetry.lock)\n- .NET (packages.lock.json, project.assets.json, paket.lock, .nuspec/.nupkg)\n- Go (go.mod)\n- PHP (composer.lock)\n- Ruby (Gemfile.lock)\n- Rust (Cargo.lock)\n\n## Plugins\n\ncdxgen could be extended with external binary plugins to support more SBOM use cases. These are now installed as an optional dependency.\n\n```shell\nsudo npm install -g @cdxgen/cdxgen-plugins-bin\n```\n\n## Plugins (pnpm)\n\n`cdxgen` can be extended with external binary plugins to support more SBOM use cases. \nThese are now installed as optional dependencies and can be used without a global install.\n\n```shell\npnpm dlx @cdxgen/cdxgen-plugins-bin\n```\n\n## Docker / OCI container support\n\n`docker` type is automatically detected based on the presence of values such as `sha256` or `docker.io` prefix etc in the path.\n\n```shell\ncdxgen odoo@sha256:4e1e147f0e6714e8f8c5806d2b484075b4076ca50490577cdf9162566086d15e -o /tmp/bom.json\n```\n\nYou can also pass `-t docker` with repository names. Only the `latest` tag would be pulled if none was specified.\n\n```shell\ncdxgen shiftleft/scan-slim -o /tmp/bom.json -t docker\n```\n\nYou can also pass the .tar file of a container image.\n\n```shell\ndocker pull shiftleft/scan-slim\ndocker save -o /tmp/slim.tar shiftleft/scan-slim\npodman save -q --format oci-archive -o /tmp/slim.tar shiftleft/scan-slim\ncdxgen /tmp/slim.tar -o /tmp/bom.json -t docker\n```\n\n### Podman in rootless mode\n\nSetup podman in either [rootless][podman-github-rootless] or [remote][podman-github-remote] mode\n\nDo not forget to start the podman socket required for API access on Linux.\n\n```shell\nsystemctl --user enable --now podman.socket\nsystemctl --user start podman.socket\npodman system service -t 0 \u0026\n```\n\n## Generate OBOM for a live system\n\nYou can use the `obom` command to generate an OBOM for a live system or a VM for compliance and vulnerability management purposes. Windows and Linux operating systems are supported in this mode.\n\n```shell\n# obom is an alias for cdxgen -t os\nobom\n# cdxgen -t os\n```\n\nThis feature is powered by osquery, which is [installed](https://github.com/cdxgen/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps, and extensions as possible using the [default queries](data/queries.json). The process would take several minutes and result in an SBOM file with thousands of components of various types, such as operating-system, device-drivers, files, and data.\n\nFor practical SOC/IR and compliance workflows, see the dedicated [OBOM lessons](./docs/OBOM_LESSONS.md).\n\n## Generate Cryptography Bill of Materials (CBOM)\n\nUse the `cbom` alias to generate a CBOM. This is currently supported only for Java projects.\n\n```shell\ncbom -t java\n# cdxgen -t java --include-crypto -o bom.json .\n```\n\n## Generating SaaSBOM and component evidences\n\nSee [evinse mode](./ADVANCED.md) in the advanced documentation.\n\n---\n\n## BOM signing\n\ncdxgen features a best-in-class, native **JSON Signature Format (JSF)** implementation for BOM signing, providing robust authenticity and non-repudiation capabilities. Unlike basic signing tools, our implementation fully supports granular signatures (signing individual components, services, and annotations), parallel Multi-Signatures (`signers`), and sequential Signature Chains (`chain`).\n\nTo enable automatic signing during BOM generation, set the following environment variables:\n\n- `SBOM_SIGN_ALGORITHM`: JSF Algorithm. Examples: `RS512`, `ES256`, `Ed25519`, `HS256`\n- `SBOM_SIGN_PRIVATE_KEY`: Location of the private key (PEM format)\n- `SBOM_SIGN_PUBLIC_KEY`: Optional. Location of the public key\n- `SBOM_SIGN_MODE`: Optional. Signature mode (`replace`, `signers`, `chain`). Default is `replace`.\n\nTo quickly generate test public/private key pairs and sign your first BOM, you can run cdxgen with the `--generate-key-and-sign` argument.\n\n### Advanced Signing with `cdx-sign`\n\nFor complex supply chain orchestration, use the bundled `cdx-sign` CLI. This tool allows multiple entities (e.g., a Builder and an Auditor) to co-sign an existing BOM without modifying its original data.\n\n```shell\n# Append a parallel multi-signature (Auditor co-signing)\n# Note: Granular component signing is disabled to preserve the Builder's original signature payload.\ncdx-sign -i bom.json -k auditor_private.pem -a ES256 --key-id \"auditor-qa\" --mode signers --no-sign-components\n```\n\n### Validating CycloneDX BOMs\n\nUse the bundled `cdx-validate` command to validate CycloneDX BOMs against **structural**, **deep**, and **compliance** checks. Refer to this [document](./docs/CDX_VALIDATE.md) for usage.\n\n### Verifying the signature\n\nUse the bundled `cdx-verify` command to validate BOM signatures. By default, `cdx-verify` performs a **strict deep verification**, meaning it mathematically validates the top-level BOM signature _and_ the signatures of every nested component, service, and annotation against the provided public key. Refer to this [lesson](./docs/LESSON6.md) for the usage of sign and verify commands.\n\n```shell\nnpm install -g @cyclonedx/cdxgen\n\n# Perform strict deep verification (default)\ncdx-verify -i bom.json --public-key public.key\n\n# Verify ONLY the top-level root signature (useful for verifying a multi-signer who didn't sign nested components)\ncdx-verify -i bom.json --public-key auditor_public.key --no-deep\n```\n\n### Verifying the signature (pnpm)\n\nYou can run the verification tools directly using pnpm (no global install needed):\n\n```shell\npnpm dlx @cyclonedx/cdxgen cdx-verify -i bom.json --public-key public.key\n```\n\nYou can also use pnpm to invoke the signing tool:\n\n```shell\npnpm dlx @cyclonedx/cdxgen cdx-sign -i bom.json -k private.key\n```\n\n---\n\n## Automatic usage detection\n\nFor node.js projects, lock files are parsed initially, so the SBOM would include all dependencies, including dev ones. An AST parser powered by babel-parser is then used to detect packages that are imported and used by non-test code. Such imported packages would automatically set their scope property to `required` in the resulting SBOM. You can turn off this analysis by passing the argument `--no-babel`. Scope property would then be set based on the `dev` attribute in the lock file.\n\nThis attribute can be later used for various purposes. For example, [dep-scan][depscan-github] uses this attribute to prioritize vulnerabilities. Unfortunately, tools such as dependency track, do not include this feature and might over-report the CVEs.\n\nWith the argument `--required-only`, you can limit the SBOM only to include packages with the scope \"required\", commonly called production or non-dev dependencies. Combine with `--no-babel` to limit this list to only non-dev dependencies based on the `dev` attribute being false in the lock files.\n\nFor go, `go mod why` command is used to identify required packages. For php, composer lock file is parsed to distinguish required (packages) from optional (packages-dev).\n\n## Automatic services detection\n\ncdxgen can automatically detect names of services from YAML manifests such as docker-compose, Kubernetes, or Skaffold manifests. These would be populated under the `services` attribute in the generated SBOM. With [evinse](./ADVANCED.md), additional services could be detected by parsing common annotations from the source code.\n\n## Conversion to SPDX format\n\nFor direct conversion of an existing CycloneDX JSON BOM to SPDX JSON-LD, use\nthe bundled `cdx-convert` command:\n\n```shell\ncdx-convert -i bom.json -o bom.spdx.json\n```\n\n`cdx-convert` currently supports CycloneDX 1.6 and 1.7 inputs and exports\nSPDX 3.0.1 JSON-LD.\n\nUse `cdxgen --format spdx` (or `--format cyclonedx,spdx`) when generating BOMs.\nUse the [CycloneDX CLI][cyclonedx-cli-github] tool for advanced use cases such\nas diff and merging.\n\n## Including .NET Global Assembly Cache dependencies in the results\n\nFor `dotnet` and `dotnet-framework`, SBOM could include components without a version number. Often, these components begin with the prefix `System.`.\n\nGlobal Assembly Cache (GAC) dependencies (System Runtime dependencies) must be made available in the build output of the project for version detection. A simple way to have the dotnet build copy the GAC dependencies into the build directory is to place the file `Directory.Build.props` into the root of the project and ensure the contents include the following:\n\n```\n\u003cProject xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\"\u003e\n\u003cItemDefinitionGroup\u003e\n \u003cReference\u003e\n \u003cPrivate\u003eTrue\u003c/Private\u003e\n \u003c/Reference\u003e\n\u003c/ItemDefinitionGroup\u003e\n\u003c/Project\u003e\n```\n\nThen, run cdxgen cli with the `--deep` argument.\n\n## License\n\nPermission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE][github-license] file for the full license.\n\n## Integration as library\n\ncdxgen is [ESM only](https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c) and could be imported and used with both deno and Node.js \u003e= 20\n\nMinimal example:\n\n```ts\nimport { createBom, submitBom } from \"npm:@cyclonedx/cdxgen@^9.0.1\";\n```\n\nSee the [Deno Readme](./contrib/deno/README.md) for detailed instructions.\n\n```javascript\nimport { createBom, submitBom } from \"@cyclonedx/cdxgen\";\n// bomNSData would contain bomJson\nconst bomNSData = await createBom(filePath, options);\n// Submission to dependency track server\nconst dbody = await submitBom(args, bomNSData.bomJson);\n```\n\n## Contributing\n\nPlease check out our [open issues][github-contribute] if you are interested in helping.\n\n### Codeberg Mirror\n\nThe project is mirrored on [Codeberg](https://codeberg.org/cdxgen/cdxgen). Users can clone the repository using the following URL:\n\n```shell\ngit clone https://codeberg.org/cdxgen/cdxgen.git\n```\n\nThe maintainers accept Pull Requests (PRs) against the Codeberg repository.\n\n\u003e **Note:** The Codeberg repository is currently synced manually from GitHub.\n\nBefore raising a PR, please run the following commands.\n\n```shell\ncorepack enable pnpm\npnpm install:frozen\n# Generate types using jsdoc syntax\npnpm run gen-types\n# Run biomejs formatter and linter with auto fix\npnpm run lint\n# Run jest tests\npnpm test\n```\n\n### Testing main branch\n\nUse `pnpm add -g` command to quickly test the main branch.\n\n```shell\ncorepack pnpm bin -g\ncorepack pnpm setup\ncorepack pnpm add -g https://github.com/cdxgen/cdxgen\ncdxgen --help\n```\n\n### Testing main branch (No Global Install)\n\nTo quickly test the latest main branch without installing globally, you can use `pnpm` in a local or temporary environment.\n\n```shell\ncorepack enable\npnpm install --prefer-offline\npnpm dlx cdxgen --help\n```\n\n## Sponsors\n\n\u003cdiv style=\"display: flex; align-items: center; gap: 20px;\"\u003e\n \u003cimg src=\"./docs/_media/GithubLogo-LightBg.png\" width=\"180\" height=\"180\"\u003e\n \u003cimg src=\"./docs/_media/MicrosoftLogo.png\" width=\"180\" height=\"180\"\u003e\n\u003c/div\u003e\n\nSome features are funded through [NGI Zero Core](https://nlnet.nl/core), a fund established by [NLnet](https://nlnet.nl) with financial support from the European Commission's [Next Generation Internet](https://ngi.eu) program. Learn more at the [NLnet project page](https://nlnet.nl/project/OWASP-dep-scan).\n\n[\u003cimg src=\"https://nlnet.nl/logo/banner.png\" alt=\"NLnet foundation logo\" width=\"20%\" /\u003e](https://nlnet.nl)\n[\u003cimg src=\"https://nlnet.nl/image/logos/NGI0_tag.svg\" alt=\"NGI Zero Logo\" width=\"20%\" /\u003e](https://nlnet.nl/core)\n\ncdxgen is an OWASP Foundation production project.\n\n[\u003cimg src=\"https://owasp.org/assets/images/logo.png\" width=\"20%\" /\u003e](https://owasp.org)\n\n## cdxgen badge\n\nCopy the below block to your markdown files to show your ❤️ for cdxgen.\n\n```markdown\n[![SBOM](https://img.shields.io/badge/SBOM-with_%E2%9D%A4%EF%B8%8F_by_cdxgen-FF753D)](https://github.com/cdxgen/cdxgen)\n```\n\n\u003c!-- LINK LABELS --\u003e\n\u003c!-- Badges --\u003e\n\n[badge-github-contributors]: https://img.shields.io/github/contributors/cyclonedx/cdxgen\n[badge-github-license]: https://img.shields.io/github/license/cyclonedx/cdxgen\n[badge-github-releases]: https://img.shields.io/github/v/release/cyclonedx/cdxgen\n[badge-jsr]: https://img.shields.io/jsr/v/%40cyclonedx/cdxgen\n[badge-npm]: https://img.shields.io/npm/v/%40cyclonedx%2Fcdxgen\n[badge-npm-downloads]: https://img.shields.io/npm/dy/%40cyclonedx%2Fcdxgen\n[badge-swh]: https://archive.softwareheritage.org/badge/origin/https://github.com/cdxgen/cdxgen/\n\n\u003c!-- cdxgen github project --\u003e\n\n[github-contribute]: https://github.com/cdxgen/cdxgen/contribute\n[github-contributors]: https://github.com/cdxgen/cdxgen/graphs/contributors\n[github-issues]: https://github.com/cdxgen/cdxgen/issues\n[github-license]: https://github.com/cdxgen/cdxgen/blob/master/LICENSE\n[github-releases]: https://github.com/cdxgen/cdxgen/releases\n\n\u003c!-- cdxgen documentation site --\u003e\n\n[docs-homepage]: https://cdxgen.github.io/cdxgen\n[docs-advanced-usage]: https://cdxgen.github.io/cdxgen/#/ADVANCED\n[docs-cli]: https://cdxgen.github.io/cdxgen/#/CLI\n[docs-env-vars]: https://cdxgen.github.io/cdxgen/#/ENV\n[docs-permissions]: https://cdxgen.github.io/cdxgen/#/PERMISSIONS\n[docs-project-types]: https://cdxgen.github.io/cdxgen/#/PROJECT_TYPES\n[docs-server]: https://cdxgen.github.io/cdxgen/#/SERVER\n[docs-support]: https://cdxgen.github.io/cdxgen/#/SUPPORT\n\n\u003c!-- web links--\u003e\n\n[appthreat-homepage]: https://www.appthreat.com\n[cyclonedx-homepage]: https://cyclonedx.org\n[cyclonedx-cli-github]: https://github.com/CycloneDX/cyclonedx-cli\n[depscan-github]: https://github.com/cyclonedx/dep-scan\n[github-rate-limit]: https://docs.github.com/en/rest/overview/rate-limits-for-the-rest-api#primary-rate-limit-for-github_token-in-github-actions\n[homebrew-homepage]: https://brew.sh\n[homebrew-cdxgen]: https://formulae.brew.sh/formula/cdxgen\n[winget-homepage]: https://learn.microsoft.com/en-us/windows/package-manager/winget/\n[jsr-cdxgen]: https://jsr.io/@cyclonedx/cdxgen\n[jwt-homepage]: https://jwt.io\n[jwt-libraries]: https://jwt.io/libraries\n[librariesio]: https://libraries.io/npm/@cyclonedx%2Fcdxgen\n[npmjs-cdxgen]: https://www.npmjs.com/package/@cyclonedx/cdxgen\n[podman-github-rootless]: https://github.com/containers/podman/blob/master/docs/tutorials/rootless_tutorial.md\n[podman-github-remote]: https://github.com/containers/podman/blob/master/docs/tutorials/mac_win_client.md\n[swh-cdxgen]: https://archive.softwareheritage.org/browse/origin/?origin_url=https://github.com/cdxgen/cdxgen\n[cdxgen-gpt]: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cyclonedx-generator-cdxgen\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdxgen%2Fcdxgen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcdxgen%2Fcdxgen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcdxgen%2Fcdxgen/lists"}