cdxgen is a versatile command-line tool for generating CycloneDX Software Bill of Materials (SBOMs) across numerous languages and container images. It caters to security researchers, compliance auditors, and developers by providing precise, evidence-based SBOMs, supporting multiple SBOM formats including Software, Cryptography, Operations, and Attestations.

How It Works

cdxgen employs a polyglot approach, utilizing various analysis techniques such as manifest parsing, source code analysis, and binary analysis to achieve high precision. It aims for explainability by providing evidence for detected components and supports multiple CycloneDX specification versions (1.4-1.6). The tool can also integrate with Dependency-Track for automated submission and offers a server mode for dynamic SBOM generation.

Quick Start & Requirements

• Install: npm install -g @cyclonedx/cdxgen (or via Homebrew, Winget, Docker).
• Prerequisites: Java >= 21 is required for C/C++ and Python SBOM generation. FETCH_LICENSE=true requires a GitHub token for unthrottled license lookups.
• Demo: https://cyclonedx.github.io/cdxgen/

Highlighted Details

• Supports Software (SBOM), Cryptography (CBOM), Operations (OBOM), and Attestations (CDXA) BOM formats.
• Can generate SBOMs from source code, container images (Docker/OCI), and live systems (via obom alias).
• Offers BOM signing capabilities using JSON Web Signatures for authenticity.
• Includes automatic usage detection for Node.js projects to differentiate production vs. development dependencies.

Maintenance & Community

The project is actively maintained by the CycloneDX community. Further details and community interaction can be found via their documentation and potential community channels linked from their GitHub repository.

Licensing & Compatibility

Licensed under the Apache 2.0 license, permitting commercial use and modification.

Limitations & Caveats

cdxgen may freeze with Java versions older than 21; ensure Java >= 21 is correctly configured. The "universal" SBOM type can generate a very large number of components requiring significant triaging.