Lib.rs

Encoding
#supply-chain-security #sbom #bom #component #json-xml #owasp #dependencies

cyclonedx-bom

CycloneDX Software Bill of Materials Library

by Amy Keibler, Steve Springett, Sergey "Shnatsel" Davidoff, Lars Francke, Jeffry Hesse, Sebastian Ziebell, Christian Poveda Ruiz and 22 contributors. Co-owned by cdx-automation.

18 releases (7 breaking)

new 0.8.0 Nov 7, 2024
0.6.2 Jul 16, 2024
0.5.0 Feb 21, 2024
0.4.3 Nov 13, 2023
0.1.0 Apr 11, 2020

#92 in Encoding

Download history 2610/week @ 2024-07-18 2038/week @ 2024-07-25 2082/week @ 2024-08-01 1967/week @ 2024-08-08 3343/week @ 2024-08-15 2145/week @ 2024-08-22 1939/week @ 2024-08-29 2834/week @ 2024-09-05 2106/week @ 2024-09-12 2197/week @ 2024-09-19 2353/week @ 2024-09-26 2348/week @ 2024-10-03 2032/week @ 2024-10-10 3195/week @ 2024-10-17 2585/week @ 2024-10-24 2745/week @ 2024-10-31

10,983 downloads per month
Used in 7 crates (6 directly)

Apache-2.0

1.5MB
31K SLoC

Build Status Crates.io License Website Slack Invite Group Discussion Twitter

cyclonedx-bom

The CycloneDX library provides JSON and XML serialization and deserialization of Software Bill-of-Materials (SBOM) files.

CycloneDX is a full-stack SBOM/xBOM standard designed for use in application security contexts and supply chain component analysis.

The library is intended to enable developers to:

  • Construct SBOM documents that conform the CycloneDX specification
  • Parse and validate JSON and XML SBOM documents
  • Perform modifications to BOM documents (e.g. merging multiple BOMs using a variety of algorithms)

Supported CycloneDX versions

This library currently supports CycloneDX 1.3, 1.4 and 1.5.

Usage

Read and validate an SBOM

use cyclonedx_bom::prelude::*;

let bom_json = r#"{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1
}"#;
let bom = Bom::parse_from_json_v1_5(bom_json.as_bytes()).expect("Failed to parse BOM");

let validation_result = bom.validate();
assert!(validation_result.passed());

Create and output an SBOM

use cyclonedx_bom::prelude::*;
use cyclonedx_bom::models::{
    tool::{Tool, Tools},
};

let bom = Bom {
    serial_number: Some(
        UrnUuid::new("urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79".to_string())
            .expect("Failed to create UrnUuid"),
    ),
    metadata: Some(Metadata {
        tools: Some(Tools::List(vec![Tool {
            name: Some(NormalizedString::new("my_tool")),
            ..Tool::default()
        }])),
        ..Metadata::default()
    }),
    ..Bom::default()
};

let mut output = Vec::<u8>::new();

bom.output_as_json_v1_5(&mut output)
    .expect("Failed to write BOM");
let output = String::from_utf8(output).expect("Failed to read output as a string");
assert_eq!(
    output,
    r#"{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "metadata": {
    "tools": [
      {
        "name": "my_tool"
      }
    ]
  }
}"#
);

Verification and Validation

See README for details.

Contributing

See CONTRIBUTING for details.

Bug Bounty

We are running a Bug Bounty program financed by the Bug Resilience Program of the Sovereign Tech Fund. Thank you very much!

Copyright & License

CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

Dependencies

~6.5–9MB
~152K SLoC