SBOM Generator
Create a comprehensive Software Bill of Materials listing every dependency, its version, license, and known vulnerabilities. Supports CycloneDX and SPDX formats required by regulatory frameworks (FDA, EU Cyber Resilience Act, NIST SSDF).
Use when: "generate SBOM", "software bill of materials", "list all dependencies", "license audit", "supply chain inventory", "compliance report", "CycloneDX", "SPDX", or during security/compliance audits.
Commands
1. generate — Generate Full SBOM
Scan the project and produce a complete dependency inventory.
Step 1: Detect Package Managers
echo "=== Package Manager Detection ==="
MANAGERS=""
# Node.js
[ -f "package-lock.json" ] && MANAGERS="$MANAGERS npm" && echo "✅ npm (package-lock.json)"
[ -f "yarn.lock" ] && MANAGERS="$MANAGERS yarn" && echo "✅ Yarn (yarn.lock)"
[ -f "pnpm-lock.yaml" ] && MANAGERS="$MANAGERS pnpm" && echo "✅ pnpm (pnpm-lock.yaml)"
# Python
[ -f "requirements.txt" ] && MANAGERS="$MANAGERS pip" && echo "✅ pip (requirements.txt)"
[ -f "Pipfile.lock" ] && MANAGERS="$MANAGERS pipenv" && echo "✅ Pipenv (Pipfile.lock)"
[ -f "poetry.lock" ] && MANAGERS="$MANAGERS poetry" && echo "✅ Poetry (poetry.lock)"
[ -f "pdm.lock" ] && MANAGERS="$MANAGERS pdm" && echo "✅ PDM (pdm.lock)"
# Go
[ -f "go.sum" ] && MANAGERS="$MANAGERS go" && echo "✅ Go (go.sum)"
# Rust
[ -f "Cargo.lock" ] && MANAGERS="$MANAGERS cargo" && echo "✅ Cargo (Cargo.lock)"
# Ruby
[ -f "Gemfile.lock" ] && MANAGERS="$MANAGERS bundler" && echo "✅ Bundler (Gemfile.lock)"
# PHP
[ -f "composer.lock" ] && MANAGERS="$MANAGERS composer" && echo "✅ Composer (composer.lock)"
# Java
[ -f "pom.xml" ] && MANAGERS="$MANAGERS maven" && echo "✅ Maven (pom.xml)"
[ -f "build.gradle" ] || [ -f "build.gradle.kts" ] && MANAGERS="$MANAGERS gradle" && echo "✅ Gradle"
# .NET
find . -name "*.csproj" -maxdepth 3 2>/dev/null | head -1 | grep -q . && MANAGERS="$MANAGERS nuget" && echo "✅ NuGet (.csproj)"
echo ""
echo "Package managers found: $(echo $MANAGERS | wc -w)"
Step 2: Extract Dependencies
echo ""
echo "=== Dependency Extraction ==="
# npm/Node.js
if [ -f "package-lock.json" ]; then
echo "--- npm Dependencies ---"
python3 -c "
import json
lock = json.load(open('package-lock.json'))
packages = lock.get('packages', {})
count = 0
for name, info in sorted(packages.items()):
if not name or name == '': continue
clean_name = name.replace('node_modules/', '')
version = info.get('version', '?')
license = info.get('license', 'UNKNOWN')
resolved = info.get('resolved', '')
dev = info.get('dev', False)
print(f'{clean_name}|{version}|{license}|{\"dev\" if dev else \"prod\"}')
count += 1
print(f'Total npm packages: {count}', file=__import__('sys').stderr)
" 2>/dev/null | head -50
fi
# Python
if [ -f "requirements.txt" ]; then
echo "--- Python Dependencies ---"
python3 -c "
import re
with open('requirements.txt') as f:
for line in f:
line = line.strip()
if not line or line.startswith('#') or line.startswith('-'): continue
match = re.match(r'([a-zA-Z0-9_.-]+)\s*([=<>!~]+\s*\S+)?', line)
if match:
name = match.group(1)
version = match.group(2) or 'any'
print(f'{name}|{version.strip()}|UNKNOWN|prod')
" 2>/dev/null
fi
# Go
if [ -f "go.sum" ]; then
echo "--- Go Dependencies ---"
python3 -c "
import re
seen = set()
with open('go.sum') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 2:
name = parts[0]
version = parts[1].split('/')[0]
key = f'{name}@{version}'
if key not in seen:
seen.add(key)
print(f'{name}|{version}|UNKNOWN|prod')
" 2>/dev/null | head -50
fi
# Rust
if [ -f "Cargo.lock" ]; then
echo "--- Rust Dependencies ---"
python3 -c "
import re
with open('Cargo.lock') as f:
content = f.read()
for match in re.finditer(r'name = \"([^\"]+)\"\nversion = \"([^\"]+)\"', content):
print(f'{match.group(1)}|{match.group(2)}|UNKNOWN|prod')
" 2>/dev/null | head -50
fi
Step 3: License Detection
echo ""
echo "=== License Analysis ==="
# For npm: licenses are in package-lock.json and package.json
if [ -f "package-lock.json" ]; then
python3 -c "
import json
from collections import Counter
lock = json.load(open('package-lock.json'))
licenses = Counter()
unknown = []
for name, info in lock.get('packages', {}).items():
if not name: continue
lic = info.get('license', 'UNKNOWN')
if isinstance(lic, dict):
lic = lic.get('type', 'UNKNOWN')
licenses[lic] += 1
if lic == 'UNKNOWN':
unknown.append(name.replace('node_modules/', ''))
print('License Distribution:')
for lic, count in licenses.most_common():
print(f' {lic}: {count}')
if unknown:
print(f'\nUnknown licenses ({len(unknown)}):')
for pkg in unknown[:10]:
print(f' {pkg}')
# Flag copyleft licenses
copyleft = ['GPL-2.0', 'GPL-3.0', 'AGPL-3.0', 'LGPL-2.1', 'LGPL-3.0', 'MPL-2.0', 'EUPL-1.2', 'SSPL-1.0']
risky = {l: c for l, c in licenses.items() if any(l.startswith(cp) for cp in copyleft)}
if risky:
print('\n⚠️ Copyleft licenses detected (may restrict distribution):')
for lic, count in risky.items():
print(f' {lic}: {count}')
" 2>/dev/null
fi
Step 4: Vulnerability Check
echo ""
echo "=== Vulnerability Scan ==="
# npm audit
if [ -f "package-lock.json" ]; then
npm audit --json 2>/dev/null | python3 -c "
import json, sys
try:
d = json.load(sys.stdin)
vulns = d.get('metadata', {}).get('vulnerabilities', {})
total = sum(vulns.values())
print(f'npm vulnerabilities: {total}')
for severity in ['critical', 'high', 'moderate', 'low']:
count = vulns.get(severity, 0)
if count > 0:
icon = '❌' if severity in ['critical', 'high'] else '⚠️'
print(f' {icon} {severity}: {count}')
if total == 0:
print(' ✅ No known vulnerabilities')
except:
print(' Could not parse npm audit')
" 2>/dev/null
fi
# pip-audit
if [ -f "requirements.txt" ] && command -v pip-audit &>/dev/null; then
pip-audit -r requirements.txt 2>/dev/null | head -20
fi
# Go vuln check
if [ -f "go.sum" ] && command -v govulncheck &>/dev/null; then
govulncheck ./... 2>/dev/null | head -20
fi
2. cyclonedx — Generate CycloneDX SBOM
Output in CycloneDX 1.5 JSON format:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:<generated>",
"version": 1,
"metadata": {
"timestamp": "<ISO 8601>",
"tools": [{"name": "sbom-generator", "version": "1.0.0"}],
"component": {
"type": "application",
"name": "<project name>",
"version": "<project version>"
}
},
"components": [
{
"type": "library",
"name": "<package>",
"version": "<version>",
"purl": "pkg:npm/<package>@<version>",
"licenses": [{"license": {"id": "<SPDX ID>"}}],
"scope": "required"
}
]
}
3. spdx — Generate SPDX SBOM
Output in SPDX 2.3 JSON format.
4. licenses — License Compliance Report
Focus on license analysis only:
- Distribution by license type
- Copyleft detection (GPL, AGPL, SSPL)
- License compatibility matrix
- Unknown/missing licenses
- Recommendations for compliance
## License Compliance Report
### Summary
- Total packages: 247
- Permissive (MIT, Apache-2.0, BSD): 231 (93.5%)
- Copyleft (GPL, LGPL, MPL): 8 (3.2%)
- Unknown: 8 (3.2%)
### Action Required
1. ❌ 3 packages under GPL-3.0 — may require source disclosure
2. ⚠️ 8 packages with unknown licenses — verify manually
3. ✅ 231 packages are permissive — no restrictions
5. diff — SBOM Diff Between Versions
Compare two SBOMs to find what changed:
Added dependencies:
+ @tanstack/react-query 5.0.0 (MIT)
+ zod 3.22.0 (MIT)
Removed dependencies:
- react-query 3.39.0 (MIT)
- yup 1.2.0 (MIT)
Version changes:
~ react 18.2.0 → 18.3.0
~ typescript 5.2.0 → 5.3.0
License changes:
~ some-package: MIT → Apache-2.0
6. policy — Check Against License Policy
Define allowed/denied licenses in .sbom-policy.json:
{
"allowed": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "0BSD", "Unlicense", "CC0-1.0"],
"denied": ["GPL-3.0", "AGPL-3.0", "SSPL-1.0"],
"review_required": ["GPL-2.0", "LGPL-2.1", "LGPL-3.0", "MPL-2.0", "EUPL-1.2"],
"allow_unknown": false
}
Exit codes:
- 0: All dependencies comply with policy
- 1: Denied license found
- 2: Unknown license and
allow_unknownis false
Output Formats
- text (default): Human-readable inventory
- json: CycloneDX 1.5 or SPDX 2.3 (specify with
--format cyclonedxor--format spdx) - csv: Spreadsheet-friendly
name,version,license,scope,purl - markdown: Report with tables for documentation
Compliance Standards
This skill helps with:
- EU Cyber Resilience Act (CRA): Requires SBOM for software products sold in EU
- US Executive Order 14028: Federal software procurement requires SBOM
- FDA: Medical device software must include SBOM
- NIST SSDF: Recommends SBOM generation as part of secure development
- PCI DSS 4.0: Software inventory requirements
Notes
- Extracts from lock files for accurate, reproducible results (not manifest files)
- License detection uses SPDX identifiers when available
- Vulnerability scanning requires network access (npm audit, pip-audit, govulncheck)
- For private registries, ensure authentication is configured
- PURL (Package URL) format follows the PURL spec for universal package identification
- Run in CI to generate SBOM on every release (commit to artifacts or registry)