Skip to content

Latest commit

 

History

History
51 lines (34 loc) · 1.81 KB

sbom_generation.md

File metadata and controls

51 lines (34 loc) · 1.81 KB

How do I use CVE Binary Tool to generate a SBOM?

The cve-bin-tool can be used to generate a software bill of materials (SBOM) file, which is a file that contains a list of all components detected by the scan in a standardized format.

SBOM support

The cve-bin-tool generates SBOMs in the following formats

SBOM Type Format Filename extension
SPDX TagValue .spdx
SPDX JSON .spdx.json
SPDX YAML .spdx.yaml
SPDX YAML .spdx.yml
CycloneDX JSON .json

Details of the formats for each of the supported SBOM formats are available for SPDX and CycloneDX

Usage

To generate a SBOM, run the tool as shown. See the examples below for details about optional arguments and default values used.

cve-bin-tool --sbom-type <sbom type> --sbom-format <sbom format> --sbom-output <sbom filename>

Examples

Generate a SPDX SBOM in TagValue format with the name sbom.spdx

cve-bin-tool --sbom-type spdx --sbom-format tag --sbom-output sbom.spdx .

If the --sbom-type option is omitted, a SBOM is generated in the SPDX type. If the --sbom-format option is omitted, the format is inferred from the extension of the --sbom-output filename. The above and below examples are equivalent.

cve-bin-tool --sbom-output sbom.spdx

Generate a SPDX SBOM in YAML format with the name sbom.yml

cve-bin-tool --sbom-type spdx --sbom-format yaml --sbom-output sbom.yml

Generate a CycloneDX SBOM in JSON format with the name sbom.json. Note that CycloneDX SBOMs are only generated in JSON, so the --sbom-format option is unnecessary.

cve-bin-tool --sbom-type cyclonedx --sbom-output sbom.json