There are multiple ways to generate a CycloneDX software bill of materials, but as a general rule, we recommend doing so during the build process. This is because running an SBOM report right after the completion of your build will produce the most accurate inventory of dependencies possible.
With FOSSA, you can easily generate a CycloneDX SBOM in either JSON or XML formats. Here’s how it works.
If you aren’t a current FOSSA user:
: Start by creating your free FOSSA account
: Then, navigate to Projects > Add Project to import your first project. (You can integrate locally with our CLI or import code from a VCS like GitHub.)
Once you’ve imported your first project:
: Log into your account, and click on the “Projects” button in the header menu
: Click on the Project that you’d like your SBOM to describe
: Select the “Generate a Compliance Report” button from the “Actions” menu (on the right side of your screen)
: Select your SBOM export format (FOSSA supports SPDX, Plain Text, CSV, Markdown, PDF, and HTML in addition to CycloneDX)
: Decide which elements to include in your report — you can do this by checking (or unchecking) boxes in the “Customize Report Information” menu.
: Click on “Edit Dependency Info” (in the Customize Report Information” menu to decide which dependency metadata (e.g. author, package manager, file path, etc) to include in your SBOM
: Generate your report — either download a copy to distribute yourself, or create a public link for your file
FOSSA also supports the import of third-party CycloneDX SBOMs. You can use this feature to understand the composition of third-party software, including any security or license compliance risks it might pose. SBOM import is available only for users with a paid FOSSA account. For information about signing up for a paid account, please reach out to our team