sourcepulse logobeta
HomeBrowse all repos

cdxgen  by CycloneDX

CLI tool for CycloneDX SBOM generation

created 5 years ago
745 stars

Top 47.6% on sourcepulse

GitHubView on GitHub
1 Expert Loves This Project
hsbt
Hiroshi Shibata
Core Contributor to Ruby
Project Summary

cdxgen is a versatile command-line tool for generating CycloneDX Software Bill of Materials (SBOMs) across numerous languages and container images. It caters to security researchers, compliance auditors, and developers by providing precise, evidence-based SBOMs, supporting multiple SBOM formats including Software, Cryptography, Operations, and Attestations.

How It Works

cdxgen employs a polyglot approach, utilizing various analysis techniques such as manifest parsing, source code analysis, and binary analysis to achieve high precision. It aims for explainability by providing evidence for detected components and supports multiple CycloneDX specification versions (1.4-1.6). The tool can also integrate with Dependency-Track for automated submission and offers a server mode for dynamic SBOM generation.

Quick Start & Requirements

  • Install: npm install -g @cyclonedx/cdxgen (or via Homebrew, Winget, Docker).
  • Prerequisites: Java >= 21 is required for C/C++ and Python SBOM generation. FETCH_LICENSE=true requires a GitHub token for unthrottled license lookups.
  • Demo: https://cyclonedx.github.io/cdxgen/

Highlighted Details

  • Supports Software (SBOM), Cryptography (CBOM), Operations (OBOM), and Attestations (CDXA) BOM formats.
  • Can generate SBOMs from source code, container images (Docker/OCI), and live systems (via obom alias).
  • Offers BOM signing capabilities using JSON Web Signatures for authenticity.
  • Includes automatic usage detection for Node.js projects to differentiate production vs. development dependencies.

Maintenance & Community

The project is actively maintained by the CycloneDX community. Further details and community interaction can be found via their documentation and potential community channels linked from their GitHub repository.

Licensing & Compatibility

Licensed under the Apache 2.0 license, permitting commercial use and modification.

Limitations & Caveats

cdxgen may freeze with Java versions older than 21; ensure Java >= 21 is correctly configured. The "universal" SBOM type can generate a very large number of components requiring significant triaging.

Health Check
Last commit

1 day ago

Responsiveness

1 day

Pull Requests (30d)
76
Issues (30d)
24
Star History
62 stars in the last 90 days

Explore Similar Projects

Starred by Travis Fischer Travis Fischer(Founder of Agentic).

palico-ai by palico-ai

0%
342
Integrated framework for LLM application development and production
created 1 year ago
updated 8 months ago

jadx-ai-mcp by zinja-coder

4.3%
401
JADX plugin for LLM-powered Android APK analysis
created 3 months ago
updated 2 days ago

SandboxFusion by bytedance

2.2%
511
Secure code sandbox for LLM-generated code execution and evaluation
created 9 months ago
updated 1 month ago

coco by inherd

0%
325
DevOps metrics analysis and suggestion tool
created 4 years ago
updated 2 years ago
Starred by Hiroshi Shibata Hiroshi Shibata(Core Contributor to Ruby).

bomber by devops-kung-fu

0.3%
574
SBOM scanner for security vulnerabilities
created 3 years ago
updated 4 months ago

LLMDebugger by FloridSleeves

0.5%
554
LLM debugger refines programs using runtime execution info
created 1 year ago
updated 10 months ago
Starred by Georgios Konstantopoulos Georgios Konstantopoulos(CTO, General Partner at Paradigm).

octopus by FuzzingLabs

0%
486
Security analysis tool for WebAssembly and blockchain smart contracts
created 7 years ago
updated 1 year ago
Starred by Dan Guido Dan Guido(Cofounder of Trail of Bits).

funfuzz by MozillaSecurity

0%
636
Fuzzing harness for SpiderMonkey JavaScript engine testing
created 10 years ago
updated 2 years ago

shotgun_code by glebkudr

1.5%
2k
Desktop tool for LLM-powered codebase edits via structured context injection
created 2 months ago
updated 1 month ago
Starred by Elie Bursztein Elie Bursztein(Cybersecurity Lead at Google DeepMind), Chip Huyen Chip Huyen(Author of AI Engineering, Designing Machine Learning Systems), and
1 more.

oss-fuzz-gen by google

0.3%
1k
LLM-powered fuzz target generator for C/C++/Java/Python projects, benchmarked via OSS-Fuzz
created 1 year ago
updated 5 days ago
Starred by Travis Fischer Travis Fischer(Founder of Agentic), Philipp Schmid Philipp Schmid(DevRel at Google DeepMind), and
9 more.

promptfoo by promptfoo

1.4%
8k
CLI tool for LLM prompt/agent/RAG testing and red-teaming
created 2 years ago
updated 23 hours ago
Starred by David Cournapeau David Cournapeau(Author of scikit-learn), Chip Huyen Chip Huyen(Author of AI Engineering, Designing Machine Learning Systems), and
6 more.

repomix by yamadashy

0.8%
18k
CLI tool to pack codebases into AI-friendly formats for LLMs
created 1 year ago
updated 5 days ago
Feedback? Help us improve.