Generate Software Bill of Materials in SPDX and CycloneDX formats. Document dependencies for supply chain security.
A Software Bill of Materials (SBOM) is a formal, structured list of components, libraries, and modules that make up a piece of software. Think of it as an ingredients list for your application - it tells you exactly what software components you are depending on.
🔍
Know exactly what third-party code you are shipping. Identify all direct and transitive dependencies in your software supply chain.
🛡️
Quickly respond to vulnerability disclosures by knowing which components are affected. Enable automated vulnerability scanning and patch management.
⚖️
Meet regulatory requirements (EO 14028) and industry standards. Track license obligations to avoid legal issues with open source usage.
Feature CycloneDX SPDX
Organization OWASP Linux Foundation
Primary Focus Security & DevSecOps License Compliance
Formats JSON, XML, Protobuf JSON, RDF, Tag-Value
ISO Standard ECMA-424 ISO/IEC 5962:2021
Vulnerability Support Native (VEX, VDR) Via Extensions
Services/APIs Supported Limited
Executive Order 14028 "Improving the Nation's Cybersecurity" mandates SBOM requirements for software sold to the U.S. federal government:
Machine-Readable Format: SBOMs must be in standard formats (CycloneDX or SPDX)
NTIA Minimum Elements: Include supplier name, component name, version, unique identifiers, dependency relationships, author, and timestamp
Automation: SBOMs should be generated automatically during build process
Updates: New SBOM required for each software release or update
DO Automate SBOM generation in your CI/CD pipeline for every build
DO Include transitive dependencies - not just direct dependencies
DO Version your SBOMs and maintain historical records
DO Integrate with vulnerability databases for continuous monitoring
DON'T Rely on manual processes - SBOMs get outdated quickly
DON'T Ignore license information - it's critical for compliance
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all components, libraries, and dependencies that make up a software application. Just as a physical product has a bill of materials listing every part and sub-assembly, an SBOM catalogs every open-source library, commercial component, and internally developed module in your software.
SBOMs have become essential for software supply chain security. The 2021 Executive Order on Improving the Nation's Cybersecurity (EO 14028) mandated SBOMs for software sold to the U.S. federal government, and industry adoption is accelerating as organizations seek to manage the risk posed by vulnerabilities in third-party components (as demonstrated by Log4Shell, Spring4Shell, and the xz Utils backdoor).
| Format | Maintained By | Strengths | Common Use |
|---|---|---|---|
| SPDX | Linux Foundation | ISO standard (ISO/IEC 5962), comprehensive licensing | Open-source compliance, government |
| CycloneDX | OWASP | Security-focused, supports VEX, lightweight | Application security, DevSecOps |
| SWID Tags | ISO/IEC 19770-2 | Software identification, asset management | Enterprise IT asset management |
| Field | Description | Example |
|---|---|---|
| Component name | Package or library name | express |
| Version | Specific version used | 4.18.2 |
| Supplier | Who provides the component | npm/expressjs |
| License | Software license | MIT |
| Hash | Cryptographic hash for integrity | SHA-256: a1b2c3... |
| Dependencies | Components this component depends on | accepts, body-parser, ... |
| CPE/PURL | Standard identifier for vulnerability matching | pkg:npm/express@4.18.2 |
A Software Bill of Materials (SBOM) is a comprehensive inventory of all components, libraries, and dependencies that make up a software application. SBOMs are essential for software supply chain security, enabling organizations to quickly identify vulnerable components, meet regulatory requirements, and manage licensing compliance.
The tool supports common dependency file formats including package.json and package-lock.json for Node.js/JavaScript projects, requirements.txt and Pipfile for Python projects, go.mod for Go projects, pom.xml for Java/Maven projects, and Cargo.toml for Rust projects. Simply paste or upload your dependency file to get started.
The tool generates SBOMs in industry-standard formats including CycloneDX (JSON and XML) and SPDX (JSON and tag-value). CycloneDX is widely used in DevSecOps pipelines, while SPDX is an ISO standard commonly used for license compliance. Choose the format that matches your tooling and compliance requirements.
The tool cross-references your dependencies against known vulnerability databases to identify components with security issues. It displays vulnerability severity levels and CVE identifiers, helping you prioritize remediation efforts. This is a static analysis based on version matching and does not require network access to your codebase.
The generated SBOM includes license information for each component when available from the dependency file. The license analysis view helps you identify components using various open-source licenses, making it easier to ensure compliance with your organization license policies and legal requirements.
Yes, all SBOM generation happens entirely in your browser. Your dependency files are processed client-side using JavaScript and are never uploaded to any server. The generated SBOM remains on your device until you choose to download or copy it.