SPDX Software Bill of Materials (SBOM) Generator

Overview

Software Package Data Exchange (SPDX) is an open standard for communicating software bill of materials (SBOM) information that supports accurate identification of software components, explicit mapping of relationships between components, and the association of security and licensing information with each component.

spdx-sbom-generatortool to help those in the community that want to generate SPDX Software Bill of Materials (SBOMs) with current package managers. It has a command line Interface (CLI) that lets you generate SBOM information, including components, licenses, copyrights, and security references of your software using SPDX v2.2 specification and aligning with the current known minimum elements from NTIA. It automatically determines which package managers or build systems are actually being used by the software.

spdx-sbom-generatoris supporting the following package managers:

  • GoMod (go)
  • Cargo (Rust)
  • Composer (PHP)
  • DotNet (.NET)
  • Maven (Java)
  • NPM (Node.js)
  • Yarn (Node.js)
  • PIP (Python)
  • Pipenv (Python)
  • Gems (Ruby)

Installation:

Note: The spdx-sbom-generator CLI is under development. You may expect some breakages and stability issues with the current release. A stable version is under development and will be available to the open source community in the upcoming beta release.

Available command Options

Run help:

<div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="./spdx-sbom-generator -h

Output Package Manager dependency on SPDX format

Usage:
spdx-sbom-generator [flags]

Flags:
-h, –help help for spdx-sbom-generator
-i, –include-license-text include full license text (default: false)
-o, –output-dir string directory to write output file to (default: current directory)
-p, –path string the path to package file or the path to a directory which will be recursively analyzed for the package files (default '.') (default " .") -s, –schema string Target schema version (default: ‘2.2’) (default “2.2”)
-f, –format string output file format (default: ‘spdx’)
“>

./spdx-sbom-generator -h

Output Package Manager dependency on SPDX format

Usage:
  spdx-sbom-generator [flags]

Flags:
  -h, --help                   help for spdx-sbom-generator
  -i, --include-license-text   include full license text (default: false)
  -o, --output-dir string      directory to write output file to (default: current directory)
  -p, --path string            the path to package file or the path to a directory which will be recursively analyzed for the package files (default '.') (default ".")
  -s, --schema string          <version> Target schema version (default: '2.2') (default "2.2")
  -f, --format string          output file format (default: 'spdx')