cyclonedx-go is a Go library to consume and produce CycloneDX Software Bill of Materials (SBOM)
If you just want to create BOMs for your Go projects, see cyclonedx-gomod
GO111MODULE=on go get github.com/CycloneDX/cyclonedx-go
Please refer to the module's documentation.
Also, checkout the examples to get an idea of how this library may be used.
| cyclonedx-go versions | Supported Go versions | Supported CycloneDX spec |
|---|---|---|
| < v0.4.0 | 1.14+ | 1.2 |
| == v0.4.0 | 1.14+ | 1.3 |
| >= v0.5.0 | 1.15+ | 1.3 |
We're aiming to support all officially supported Go versions, plus an additional older version.
This library will only support the latest version of the CycloneDX specification. While it's generally possible to read BOMs of an older spec, writing will exclusively produce BOMs conforming to the latest supported spec.
CycloneDX Go is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.
Pull requests are welcome. But please read the CycloneDX contributing guidelines first.
It is generally expected that pull requests will include relevant tests. Tests are automatically run against all supported Go versions (see Compatibility) for every pull request.
Some tests make use of the CycloneDX CLI, e.g. to validate BOMs.
Make sure to download the CLI binary and make it available as cyclonedx in your $PATH.
See also Setup CycloneDX CLI in
the workflow.