• Stars
    star
    119
  • Rank 297,930 (Top 6 %)
  • Language
    C#
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects

Build Status Docker Image License NuGet Version Nuget Website Slack Invite Group Discussion Twitter

CycloneDX module for .NET

The CycloneDX module for .NET creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.

This module runs on

  • .NET 6.0
  • .NET 7.0

This module no longer runs on

Usage

CycloneDX for .NET is distributed via NuGet and Docker Hub.

Installing via NuGet

dotnet tool install --global CycloneDX

If you already have a previous version of CycloneDX installed, you can upgrade to the latest version using the following command:

dotnet tool update --global CycloneDX

Execution via DotNet

dotnet CycloneDX <path> -o <OUTPUT_DIRECTORY>

Execution via Docker

docker run cyclonedx/cyclonedx-dotnet [OPTIONS] <path>

Options

Usage: dotnet CycloneDX [options] <path>

Arguments:
  path                                                                   The path to a .sln, .csproj, .fsproj, .vbproj, or packages.config file or the path to a directory which will be recursively analyzed for packages.config files

Options:
  -v|--version                                                           Output the tool version and exit
  -tfm|--framework <FRAMEWORK>                                           The target framework to use. If not defined, all will be aggregated.
  -rt|--runtime <RUNTIME>                                                The runtime to use. If not defined, all will be aggregated.
  -o|--out <OUTPUT_DIRECTORY>                                            The directory to write the BOM
  -f|--filename <OUTPUT_FILENAME>                                        Optionally provide a filename for the BOM (default: bom.xml or bom.json)
  -j|--json                                                              Produce a JSON BOM instead of XML
  -d|--exclude-dev                                                       Exclude development dependencies from the BOM
  -t|--exclude-test-projects                                             Exclude test projects from the BOM
  -u|--url <BASE_URL>                                                    Alternative NuGet repository URL to https://<yoururl>/nuget/<yourrepository>/v3/index.json
  -us|--baseUrlUsername <BASE_URL_USER_NAME>                             Alternative NuGet repository username
  -usp|--baseUrlUserPassword <BASE_URL_USER_PASSWORD>                    Alternative NuGet repository username password/apikey
  -uspct|--isBaseUrlPasswordClearText                                    Alternative NuGet repository password is cleartext
  -r|--recursive                                                         To be used with a single project file, it will recursively scan project references of the supplied project file
  -ns|--no-serial-number                                                 Optionally omit the serial number from the resulting BOM
  -gu|--github-username <GITHUB_USERNAME>                                Optionally provide a GitHub username for license resolution. If set you also need to provide a GitHub personal access token
  -gt|--github-token <GITHUB_TOKEN>                                      Optionally provide a GitHub personal access token for license resolution. If set you also need to provide a GitHub username
  -gbt|--github-bearer-token <GITHUB_BEARER_TOKEN>                       Optionally provide a GitHub bearer token for license resolution. This is useful in GitHub actions
  -dgl|--disable-github-licenses                                         Optionally disable GitHub license resolution
  -dpr|--disable-package-restore                                         Optionally disable package restore
  -dhc|--disable-hash-computation                                        Optionally disable hash computation for packages
  -dct|--dotnet-command-timeout <DOTNET_COMMAND_TIMEOUT>                 dotnet command timeout in milliseconds (primarily used for long dotnet restore operations)
                                                                         Default value is: 300000.
  -biop|--base-intermediate-output-path <BASE_INTERMEDIATE_OUTPUT_PATH>  Optionally provide a folder for customized build environment. Required if folder 'obj' is relocated.
  -imp|--import-metadata-path <IMPORT_METADATA_PATH>                     Optionally provide a metadata template which has project specific details.
  -sn|--set-name <SET_NAME>                                              Override the autogenerated BOM metadata component name.
  -sv|--set-version <SET_VERSION>                                        Override the default BOM metadata component version (defaults to 0.0.0).
  -st|--set-type <SET_TYPE>                                              Override the default BOM metadata component type (defaults to application).
                                                                         Allowed values are: Null, Application, Framework, Library, OperationSystem, Device, File, Container, Firmware.
                                                                         Default value is: Null.
  -?|-h|--help                                                           Show help information.

Examples

To run the CycloneDX tool you need to specify a solution or project file. In case you pass a solution, the tool will aggregate all the projects.

The following will create a BOM from a solution and all projects defined within:

dotnet CycloneDX YourSolution.sln -o /output/path

The following will recursively scan the directory structure for packages.config and create a BOM:

dotnet CycloneDX /path/to/project -o /output/path

The following will recursively scan the project references of the supplied project file, and create a BOM of all package references from all included projects:

dotnet CycloneDX /path/to/project/MyProject.csproj -o /output/path -r

Project metadata template example

<?xml version="1.0" encoding="utf-8"?>
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:087d0712-f591-4995-ba76-03f1c5c48884" version="1" xmlns="http://cyclonedx.org/schema/bom/1.2">
  <metadata>
    <component type="application" bom-ref="pkg:nuget/[email protected]">
      <name>CycloneDX</name>
      <version>1.3.0</version>
      <description>
        <![CDATA[The [CycloneDX module](https://github.com/CycloneDX/cyclonedx-dotnet) for .NET creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.]]>
      </description>
      <licenses>
        <license>
          <name>Apache License 2.0</name>
          <id>Apache-2.0</id>
        </license>
      </licenses>
      <purl>pkg:nuget/[email protected]</purl>
    </component>
  </metadata>
</bom>

Update the data and import it within a build pipeline e.g. create the file using a script and add also dynamic data (version, timestamp, ...)

GitHub License Resolution

SPDX license IDs can be resolved for packages that reference a supported license file in a GitHub repository.

The GitHub license API has an unauthenticated call limit of 60 calls per hour. To ensure consistent output if a rate limit is exceeded BOM generation will fail. If you start hitting rate limits you will need to generate a personal access token and provide this, and your username, when running CycloneDX.

To generate a token go to Personal access tokens under Settings / Developer setings. From there select the option to Generate new token. No special token permissions are required.

Due to current limitations in the GitHub API licenses will only be resolved for master branch license references.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

Contributing

Pull requests are welcome. But please read the CycloneDX contributing guidelines first.

To build and test the solution locally you should have .NET Core 3.1 or .NET 6.0 installed. Standard commands like dotnet build and dotnet test work.

Alternatively, you can use VS Code and the included devcontainer configuration to work in a pre-configured docker image. (You will also need the "Remote - Containers" extension and Docker)

It is generally expected that pull requests will include relevant tests. Tests are automatically run on Windows, MacOS and Linux for every pull request. And build warnings will break the build.

If you are having trouble debugging a test that is failing for a platform you don't have access to please us know.

Thanks to Gitpod there is a really easy way of creating a ready to go development environment with VS Code. You can open a Gitpod hosted development environment in your browser.

Open in Gitpod

More Repositories

1

cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Discord: https://discord.gg/DP657ACYEZ
JavaScript
565
star
2

specification

CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, OBOM, VDR, and VEX
XSLT
252
star
3

cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
C#
245
star
4

cyclonedx-python

CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments
Python
234
star
5

cyclonedx-maven-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
Java
209
star
6

cyclonedx-node-module

creates CycloneDX Software Bill of Materials (SBOM) from node-based projects
108
star
7

bom-examples

A repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)
105
star
8

cyclonedx-gradle-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects
Java
92
star
9

cyclonedx-rust-cargo

Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects
Rust
90
star
10

cyclonedx-gomod

Creates CycloneDX Software Bill of Materials (SBOM) from Go modules
Go
90
star
11

cyclonedx-core-java

CycloneDX SBOM Model and Utils for Creating and Validating BOMs
Java
76
star
12

cyclonedx-node-npm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
TypeScript
69
star
13

cyclonedx-bom-repo-server

A BOM repository server for distributing CycloneDX BOMs
C#
68
star
14

cyclonedx-python-lib

Python implementation of OWASP CycloneDX
Python
65
star
15

cyclonedx-php-composer

Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
PHP
48
star
16

transparency-exchange-api

A standard API specification for exchanging supply chain artifacts and intelligence
43
star
17

cyclonedx-go

Go library to consume and produce CycloneDX Software Bill of Materials (SBOM)
Go
42
star
18

cyclonedx-linux-generator

Lockheed Martin developed utility to generate CycloneDX SBOMs for Linux distributions
Java
32
star
19

sbom-utility

Utility that provides an API platform for validating, querying and managing BOM data
Go
30
star
20

cyclonedx-conan

Creates CycloneDX Software Bill of Materials (SBOM) documents for C/C++ projects using Conan
Python
23
star
21

license-scanner

Utility that provides an API and CLI to identify licenses and legal terms
Go
20
star
22

gh-node-module-generatebom

GitHub action to generate a CycloneDX SBOM for Node.js
JavaScript
20
star
23

cyclonedx-webpack-plugin

Create CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.
TypeScript
18
star
24

cyclonedx-node-yarn

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.
JavaScript
18
star
25

cyclonedx-ruby-gem

Creates CycloneDX Software Bill of Materials (SBOM) from Ruby projects
Ruby
17
star
26

cyclonedx-javascript-library

Core functionality of OWASP CycloneDX for JavaScript (Node.js or WebBrowser) written in TypeScript.
TypeScript
15
star
27

cyclonedx-web-tool

A web based tool for working with CycloneDX BOMs
HTML
15
star
28

cyclonedx-dotnet-library

.NET library to consume and produce CycloneDX Software Bill of Materials (SBOM)
C#
14
star
29

cyclonedx-cocoapods

Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
Ruby
14
star
30

sbom-comparator

Lockheed Martin developed utility to compare two CycloneDX SBOMs
Java
14
star
31

gh-python-generate-sbom

GitHub action to generate a CycloneDX SBOM for Python
JavaScript
12
star
32

cyclonedx-node-pnpm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js PNPM projects.
12
star
33

cdxgen-action

GitHub action for CycloneDX BOM generator (cdxgen). cdxgen produced bom xml file can be uploaded to dependency track, AppThreat and other commercial Software Composition Analysis (SCA) products
JavaScript
9
star
34

gh-gomod-generate-sbom

GitHub action to generate a CycloneDX SBOM for Go modules
JavaScript
9
star
35

gh-dotnet-generate-sbom

GitHub action to generate a CycloneDX SBOM for .NET
JavaScript
8
star
36

cyclonedx-property-taxonomy

A taxonomy of all official property namespaces and names
8
star
37

sbom-combiner

Lockheed Martin developed utility to combine multiple CycloneDX SBOMs
Java
7
star
38

cyclonedx-authoring-tool

An experimental user interface for manually creating, editing, and viewing CycloneDX SBOMs
Vue
7
star
39

cyclonedx-php-library

PHP Implementation of CycloneDX Bill of Materials (BOM)
PHP
6
star
40

cyclonedx.org

Public website
HTML
5
star
41

guides

CSS
5
star
42

cyclonedx-nuget

Creates CycloneDX Software Bill-of-Materials (SBoM) from NuGet projects
Java
3
star
43

cyclonedx-buildroot

Create CycloneDX Software Bill of Materials (SBOM) for Buildroot projects
Python
2
star
44

cdxgen-plugins-bin

Binary plugins for @cyclonedx/cdxgen npm package
PowerShell
2
star
45

sbom-commons

Lockheed Martin developed common SBOM library
Java
1
star
46

homebrew-cyclonedx

CycloneDX Homebrew Tap
Ruby
1
star
47

cyclonedx-conda

conda plugin to generate CycloneDX SBOM
1
star
48

cyclonedx-otm-java

EXPERIMENTAL CycloneDX library and utility to convert BOMs into Open Threat Model (OTM) format
Java
1
star
49

gh-php-composer-generate-sbom

GitHub action to generate a CycloneDX SBOM for PHP Composer
JavaScript
1
star
50

sbom-commons-combiner

Lockheed Martin developed common library to combine multiple SBOMs
Java
1
star
51

gh-cocoapods-generate-sbom

GitHub action to generate a CycloneDX SBOM for Swift and Objective-C projects that use CocoaPods.
1
star
52

cyclonedx-esbuild-plugin

Create CycloneDX Software Bill of Materials (SBOM) from esbuild bundles at compile time.
1
star