This python application generates CycloneDX Software Bill of Materials (SBOM) containing all direct dependencies of a Buildroot generated project. It also supports projects that provide a comma-separated-values (.csv) file as a manifest of the software bill of materials. Thus an embedded project or any other project that has a CSV file containing the column information below, can be used with this project.
PACKAGE,VERSION,LICENSE,LICENSE FILES,SOURCE ARCHIVE,SOURCE SITE,DEPENDENCIES WITH LICENSES
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. Buildroot provides a build target named "legal-info" which produces a set of files including manifest.csv. The legal-info is a general "make" target for a Buildroot project. Additionally and optionally Buildroot supports a "make" target named "show-info" to produce CPE data for your build.
python >= 3.8
Install this from Python Package Index (PyPI) using your preferred Python package manager.
install via one of commands:
python -m pip install CycloneDX-Buildroot # install via pip
pipx install CycloneDX-Buildroot # install via pipx
poetry add CycloneDX-Buildroot # install via poetry
uv tool install CycloneDX-Buildroot # install via uv
# ... you get the hangCall via one of commands:
cyclonedx-buildroot # call script
python -m cyclonedx_buildroot # call python module CLI$ cyclonedx-buildroot --help
usage: cyclonedx-buildroot [-h] [-i INPUT_FILE] [-o OUTPUT_FILE] [-n PRODUCT_NAME] [-v PRODUCT_VERSION] [-m MANUFACTURER_NAME] [-c CPE_INPUT_FILE]
CycloneDX BOM Generator
options:
-h, --help show this help message and exit
-i INPUT_FILE comma separated value (csv) file of buildroot manifest data
-o OUTPUT_FILE SBOM output file name for json and xml
-n PRODUCT_NAME name of the product
-v PRODUCT_VERSION product version string
-m MANUFACTURER_NAME name of product manufacturer
-c CPE_INPUT_FILE cpe file from make show-infoBy default, manifest.csv will be read from the current working directory
and the resulting bom.json will also be created in the current working directory.
This can be overwritten as follows:
cyclonedx-buildroot -i <path>/manifest.csv -n "My Project" -v "1.2.3.4" -m "your manufacturing company name" -c cpe.jsonDiagram depicting where this project fits into the pipeline of secure development activities. Note that while the diagram depicts a linear sequence of activities, the entire sequence is typically cyclical. The end state of SBOM management receives the SBOM files for the product versions to properly manage the state of vulnerabilities over time.
The following table provides information on the version of this module, the CycloneDX schema version supported, as well as the output format options. Use the latest possible version of this module that is compatible with the CycloneDX version supported by the target system.
| Version | Schema Version | Format(s) |
|---|---|---|
| 2.x | CycloneDX v1.6 | XML/JSON |
| 1.x | CycloneDX v1.4 | XML/JSON |
This tool utilizes the CycloneDX Python library to generate the actual data structures, and serialize and validate them.
This tool does not expose any additional public API or symbols - all code is intended to be internal and might change without any notice during version upgrades.
However, the CLI is stable - you might call it programmatically, like so:
from sys import executable
from subprocess import run
run((executable, '-m', 'cyclonedx_buildroot', '--help'))CycloneDX Buildroot is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.