cyclonedx-go is a Go library to consume and produce CycloneDX Software Bill of Materials (SBOM)
If you just want to create BOMs for your Go projects, see cyclonedx-gomod
go get github.com/CycloneDX/cyclonedx-go
Please refer to the module's documentation.
Also, checkout the examples
to get an idea of how this library may be used.
cyclonedx-go versions | Supported Go versions | Supported CycloneDX spec |
---|---|---|
< v0.4.0 | 1.14+ | 1.2 |
== v0.4.0 | 1.14+ | 1.3 |
>= v0.5.0, < v0.7.0 | 1.15+ | 1.4 |
>= v0.7.0 | 1.17+ | 1.0-1.4 |
We're aiming to support all officially supported Go versions, plus an additional older version.
Prior to v0.7.0, this library only supported the latest version of the CycloneDX specification. While it is generally possible to read BOMs of an older spec, writing would exclusively produce BOMs conforming to the latest supported spec.
Starting with v0.7.0, writing BOMs conforming to all previous version of the spec is also possible.
CycloneDX Go is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.
Pull requests are welcome. But please read the CycloneDX contributing guidelines first.
It is generally expected that pull requests will include relevant tests. Tests are automatically run against all supported Go versions (see Compatibility) for every pull request.
Some tests make use of the CycloneDX CLI, e.g. to validate BOMs.
Make sure to download the CLI binary and make it available as cyclonedx
in your $PATH
.
This is done automatically for Gitpod.