• Stars
    star
    245
  • Rank 165,304 (Top 4 %)
  • Language
    C#
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.

Docker Image License Website Slack Invite Group Discussion Twitter

   ______           __                 ____ _  __    ________    ____
  / ____/_  _______/ /___  ____  ___  / __ \ |/ /   / ____/ /   /  _/
 / /   / / / / ___/ / __ \/ __ \/ _ \/ / / /   /   / /   / /    / /
/ /___/ /_/ / /__/ / /_/ / / / /  __/ /_/ /   |   / /___/ /____/ /
\____/\__, /\___/_/\____/_/ /_/\___/_____/_/|_|   \____/_____/___/
     /____/

Usage:
  cyclonedx [command] [options]

Options:
  --version         Show version information
  -?, -h, --help    Show help and usage information

Commands:
  add                         Add information to a BOM (currently supports files)
  analyze                     Analyze a BOM file
  convert                     Convert between different BOM formats
  diff <from-file> <to-file>  Generate a BOM diff
  keygen                      Generates an RSA public/private key pair for BOM signing
  merge                       Merge two or more BOMs
  sign                        Sign a BOM or file
  validate                    Validate a BOM
  verify                      Verify signatures in a BOM

The CycloneDX CLI tool currently supports BOM analysis, modification, diffing, merging, format conversion, signing and verification.

Conversion is supported between CycloneDX XML, JSON, Protobuf, CSV, and SPDX JSON v2.2.

Binaries can be downloaded from the releases page.

Note: The CycloneDX CLI tool is built for automation use cases. Any commands that have the --input-file option also support feeding input from stdin. Likewise, any commands that have the --output-file option support output to stdout. However, you will need to supply the input/output formats.

For example:
cat bom.json | cyclonedx-cli convert --input-format json --output-format xml > bom.xml

Commands

Add Command

Add File Subcommand

files
  Add files to a BOM

Usage:
  cyclonedx add files [options]

Options:
  --input-file <input-file>                       Input BOM filename.
  --no-input                                      Use this option to indicate that there is no input BOM.
  --output-file <output-file>                     Output BOM filename, will write to stdout if no value provided.
  --input-format <autodetect|json|protobuf|xml>   Specify input file format.
  --output-format <autodetect|json|protobuf|xml>  Specify output file format.
  --base-path <base-path>                         Base path for directory to process (defaults to current working directory if omitted).
  --include <include>                             Apache Ant style path and file patterns to specify what to include (defaults to all files, separate patterns with a space).
  --exclude <exclude>                             Apache Ant style path and file patterns to specify what to exclude (defaults to none, separate patterns with a space).

Examples

Generating a source code BOM, excluding Git repository directory:
cyclonedx-cli add files --no-input --output-format json --exclude /.git/**

Adding build output files, from bin directory, to existing BOM:
cyclonedx-cli add files --input-file bom.json --output-format json --base-path bin

Analyze Command

analyze
  Analyze a BOM file

Usage:
  cyclonedx analyze [options]

Options:
  --input-file <input-file>                      Input BOM filename, will read from stdin if no value provided.
  --input-format <autodetect|json|protobuf|xml>  Specify input file format.
  --output-format <json|text>                    Specify output format (defaults to text).
  --multiple-component-versions                  Report components that have multiple versions in use.

Examples

Reporting on components that are included multiple times with different versions:
cyclonedx-cli analyze --input-file sbom.xml --multiple-component-versions

Convert Command

convert
  Convert between different BOM formats

Usage:
  cyclonedx convert [options]

Options:
  --input-file <input-file>                                    Input BOM filename, will read from stdin if no value provided.
  --output-file <output-file>                                  Output BOM filename, will write to stdout if no value provided.
  --input-format <autodetect|csv|json|protobuf|spdxjson|xml>   Specify input file format.
  --output-format <autodetect|csv|json|protobuf|spdxjson|xml>  Specify output file format.
  --output-version <v1_0|v1_1|v1_2|v1_3|v1_4>                  Specify output BOM specification version. (ignored for CSV and SPDX formats)  

Examples

Converting from XML to JSON format:
cyclonedx-cli convert --input-file sbom.xml --output-file sbom.json

Converting from XML to JSON format and piping output to additional tools:
cyclonedx-cli convert --input-file sbom.xml --output-format json | grep "somthing"

CSV Format

The CSV format is a limited representation of the list of components in a BOM.

The intention is to provide a simple way for users to produce and consume BOMs for simple use cases. Including simple data migration use cases.

The only required fields are the component name and version fields. Others can be left blank or the columns omitted.

example.csv

SPDX Format

Converting between SPDX and CycloneDX formats can result in the loss of some information. The conversion functionality is provided by the CycloneDX.Spdx.Interop library, which is part of the CycloneDX .NET library project.

For more details on what information is lost refer to the CycloneDX .NET Library project page.

Diff Command

diff
  Generate a BOM diff

Usage:
  cyclonedx diff <from-file> <to-file> [options]

Arguments:
  <from-file>  From BOM filename.
  <to-file>    To BOM filename.

Options:
  --from-format <autodetect|json|protobuf|xml>  Specify from file format.
  --to-format <autodetect|json|protobuf|xml>    Specify to file format.
  --output-format <json|text>                   Specify output format (defaults to text).
  --component-versions                          Report component versions that have been added, removed or modified.

Examples

Reporting on components with version changes:
cyclonedx-cli diff sbom-from.xml sbom-to.xml --component-versions

Keygen Command

keygen
  Generates an RSA public/private key pair for BOM signing

Usage:
  cyclonedx keygen [options]

Options:
  --private-key-file <private-key-file>  Filename for generated private key file (defaults to "private.key")
  --public-key-file <public-key-file>    Filename for generated public key file (defaults to "public.key")

Merge Command

merge
  Merge two or more BOMs

Usage:
  cyclonedx merge [options]

Options:
  --input-files <input-files>                     Input BOM filenames (separate filenames with a space).
  --output-file <output-file>                     Output BOM filename, will write to stdout if no value provided.
  --input-format <autodetect|json|protobuf|xml>   Specify input file format.
  --output-format <autodetect|json|protobuf|xml>  Specify output file format.
  --hierarchical                                  Perform a hierarchical merge.
  --group <group>                                 Provide the group of software the merged BOM describes.
  --name <name>                                   Provide the name of software the merged BOM describes (required for hierarchical merging).
  --version <version>                             Provide the version of software the merged BOM describes (required for hierarchical merging).

Note: To perform a hierarchical merge all BOMs need the subject of the BOM described in the metadata component element.

Examples

Merge two XML formatted BOMs:
cyclonedx-cli merge --input-files sbom1.xml sbom2.xml --output-file sbom_all.xml

Merging two BOMs and piping output to additional tools:
cyclonedx-cli merge --input-files sbom1.xml sbom2.xml --output-format json | grep "something"

Sign Command

Sign a BOM or file

Sign Bom Subcommand

bom
  Sign the entire BOM document

Usage:
  cyclonedx sign bom <bom-file> [options]

Arguments:
  <bom-file>  BOM filename

Options:
  --key-file <key-file>  Signing key filename (RSA private key in PEM format, defaults to "private.key")

Sign File Subcommand

file
  Sign arbitrary files and generate a PKCS1 RSA SHA256 signature file

Usage:
  cyclonedx sign file <file> [options]

Arguments:
  <file>  Filename of the file the signature will be created for

Options:
  --key-file <key-file>              Signing key filename (RSA private key in PEM format, defaults to "private.key")
  --signature-file <signature-file>  Filename of the generated signature file (defaults to the filename with ".sig" appended)

Validate Command

validate
  Validate a BOM

Usage:
  cyclonedx validate [options]

Options:
  --input-file <input-file>                   Input BOM filename, will read from stdin if no value provided.
  --input-format <autodetect|json|xml>        Specify input file format.
  --input-version <v1_0|v1_1|v1_2|v1_3|v1_4>  Specify input file specification version (defaults to v1.4)
  --fail-on-errors                            Fail on validation errors (return a non-zero exit code)

Examples

Validate BOM and return non-zero exit code (handy for automatically "breaking" a build, etc)
cyclonedx-cli validate --input-file sbom.xml --fail-on-errors

Verify Command

Verify signatures for BOMs and files

Verify All Subcommand

all
  Verify all signatures in a BOM

Usage:
  cyclonedx verify all <bom-file> [options]

Arguments:
  <bom-file>  BOM filename

Options:
  --key-file <key-file>  Public key filename (RSA public key in PEM format, defaults to "public.key")

Verify File Subcommand

file
  Verifies a PKCS1 RSA SHA256 signature file for an abritrary file

Usage:
  cyclonedx verify file <file> [options]

Arguments:
  <file>  File the signature file is for

Options:
  --key-file <key-file>              Public key filename (RSA public key in PEM format, defaults to "public.key")
  --signature-file <signature-file>  Signature file to be verified (defaults to the filename with ".sig" appended)

Docker Image

The CycloneDX CLI tool can also be run using docker docker run cyclonedx/cyclonedx-cli.

Homebrew

For Linux and MacOS, the CLI can be installed via the CycloneDX Homebrew tap:

brew install cyclonedx/cyclonedx/cyclonedx-cli

Supported Platforms

Officially supported builds are available for these platforms:

  • Windows x64 (win-x64)
  • Linux x64 (linux-x64)
  • Linux musl x64 (linux-musl-x64, includes Alpine Linux)
  • MacOS x64 (osx-x64)

Community supported builds are available for these platforms:

  • Windows x86 (win-x86)
  • Windows ARM (win-arm)
  • Windows ARM x64 (win-arm64)
  • Linux ARM (linux-arm)
  • Linux ARM x64 (linux-arm64)
  • MacOS ARM x64 (osx-arm64)

.NET Core runtime dependencies are required.

For Windows these should be preinstalled.

For Ubuntu these are libc6 libgcc1 libgssapi-krb5-2 libicu66 libssl1.1 libstdc++6 zlib1g.

Using gron for adhoc searching and analysis

gron transforms JSON into discrete assignments to make it easier to grep for what you want and see the absolute 'path' to it.

For convenience, gron is included in the CycloneDX CLI Docker image.

Example usage that lists all component names and versions

$ gron bom-1.2.json | grep -E "(components\[[[:digit:]]*\].name)|(components\[[[:digit:]]*\].version)"

json.components[0].name = "tomcat-catalina";
json.components[0].version = "9.0.14";
json.components[1].name = "mylibrary";
json.components[1].version = "1.0.0";

Or the same using an XML format BOM

$ cyclonedx convert --input-file bom.xml --output-format json | gron | grep -E "(components\[[[:digit:]]*\].name)|(components\[[[:digit:]]*\].version)"

json.components[0].name = "tomcat-catalina";
json.components[0].version = "9.0.14";
json.components[1].name = "mylibrary";
json.components[1].version = "1.0.0";

For more details on gron usage refer to the gron project page.

For more details on grep usage refer to the grep man page.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

Contributing

Pull requests are welcome. But please read the CycloneDX contributing guidelines first.

To build and test the solution locally you should have .NET 6 installed. Standard commands like dotnet build and dotnet test work.

It is generally expected that pull requests will include relevant tests. Tests are automatically run on Windows, MacOS and Linux for every pull request. Build warnings will break the build.

Please let us know if you are having trouble debugging a test that is failing for a platform that you don't have access to.

More Repositories

1

cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Discord: https://discord.gg/DP657ACYEZ
JavaScript
565
star
2

specification

CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, OBOM, VDR, and VEX
XSLT
252
star
3

cyclonedx-python

CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments
Python
234
star
4

cyclonedx-maven-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
Java
209
star
5

cyclonedx-dotnet

Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
C#
119
star
6

cyclonedx-node-module

creates CycloneDX Software Bill of Materials (SBOM) from node-based projects
108
star
7

bom-examples

A repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)
105
star
8

cyclonedx-gradle-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects
Java
92
star
9

cyclonedx-rust-cargo

Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects
Rust
90
star
10

cyclonedx-gomod

Creates CycloneDX Software Bill of Materials (SBOM) from Go modules
Go
90
star
11

cyclonedx-core-java

CycloneDX SBOM Model and Utils for Creating and Validating BOMs
Java
76
star
12

cyclonedx-node-npm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
TypeScript
69
star
13

cyclonedx-bom-repo-server

A BOM repository server for distributing CycloneDX BOMs
C#
68
star
14

cyclonedx-python-lib

Python implementation of OWASP CycloneDX
Python
65
star
15

cyclonedx-php-composer

Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
PHP
48
star
16

transparency-exchange-api

A standard API specification for exchanging supply chain artifacts and intelligence
43
star
17

cyclonedx-go

Go library to consume and produce CycloneDX Software Bill of Materials (SBOM)
Go
42
star
18

cyclonedx-linux-generator

Lockheed Martin developed utility to generate CycloneDX SBOMs for Linux distributions
Java
32
star
19

sbom-utility

Utility that provides an API platform for validating, querying and managing BOM data
Go
30
star
20

cyclonedx-conan

Creates CycloneDX Software Bill of Materials (SBOM) documents for C/C++ projects using Conan
Python
23
star
21

license-scanner

Utility that provides an API and CLI to identify licenses and legal terms
Go
20
star
22

gh-node-module-generatebom

GitHub action to generate a CycloneDX SBOM for Node.js
JavaScript
20
star
23

cyclonedx-webpack-plugin

Create CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.
TypeScript
18
star
24

cyclonedx-node-yarn

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.
JavaScript
18
star
25

cyclonedx-ruby-gem

Creates CycloneDX Software Bill of Materials (SBOM) from Ruby projects
Ruby
17
star
26

cyclonedx-javascript-library

Core functionality of OWASP CycloneDX for JavaScript (Node.js or WebBrowser) written in TypeScript.
TypeScript
15
star
27

cyclonedx-web-tool

A web based tool for working with CycloneDX BOMs
HTML
15
star
28

cyclonedx-dotnet-library

.NET library to consume and produce CycloneDX Software Bill of Materials (SBOM)
C#
14
star
29

cyclonedx-cocoapods

Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
Ruby
14
star
30

sbom-comparator

Lockheed Martin developed utility to compare two CycloneDX SBOMs
Java
14
star
31

gh-python-generate-sbom

GitHub action to generate a CycloneDX SBOM for Python
JavaScript
12
star
32

cyclonedx-node-pnpm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js PNPM projects.
12
star
33

cdxgen-action

GitHub action for CycloneDX BOM generator (cdxgen). cdxgen produced bom xml file can be uploaded to dependency track, AppThreat and other commercial Software Composition Analysis (SCA) products
JavaScript
9
star
34

gh-gomod-generate-sbom

GitHub action to generate a CycloneDX SBOM for Go modules
JavaScript
9
star
35

gh-dotnet-generate-sbom

GitHub action to generate a CycloneDX SBOM for .NET
JavaScript
8
star
36

cyclonedx-property-taxonomy

A taxonomy of all official property namespaces and names
8
star
37

sbom-combiner

Lockheed Martin developed utility to combine multiple CycloneDX SBOMs
Java
7
star
38

cyclonedx-authoring-tool

An experimental user interface for manually creating, editing, and viewing CycloneDX SBOMs
Vue
7
star
39

cyclonedx-php-library

PHP Implementation of CycloneDX Bill of Materials (BOM)
PHP
6
star
40

cyclonedx.org

Public website
HTML
5
star
41

guides

CSS
5
star
42

cyclonedx-nuget

Creates CycloneDX Software Bill-of-Materials (SBoM) from NuGet projects
Java
3
star
43

cyclonedx-buildroot

Create CycloneDX Software Bill of Materials (SBOM) for Buildroot projects
Python
2
star
44

cdxgen-plugins-bin

Binary plugins for @cyclonedx/cdxgen npm package
PowerShell
2
star
45

sbom-commons

Lockheed Martin developed common SBOM library
Java
1
star
46

homebrew-cyclonedx

CycloneDX Homebrew Tap
Ruby
1
star
47

cyclonedx-conda

conda plugin to generate CycloneDX SBOM
1
star
48

cyclonedx-otm-java

EXPERIMENTAL CycloneDX library and utility to convert BOMs into Open Threat Model (OTM) format
Java
1
star
49

gh-php-composer-generate-sbom

GitHub action to generate a CycloneDX SBOM for PHP Composer
JavaScript
1
star
50

sbom-commons-combiner

Lockheed Martin developed common library to combine multiple SBOMs
Java
1
star
51

gh-cocoapods-generate-sbom

GitHub action to generate a CycloneDX SBOM for Swift and Objective-C projects that use CocoaPods.
1
star
52

cyclonedx-esbuild-plugin

Create CycloneDX Software Bill of Materials (SBOM) from esbuild bundles at compile time.
1
star