cyclonedx-gomod
cyclonedx-gomod creates CycloneDX Software Bill of Materials (SBOM) from Go modules
Installation
Prebuilt binaries are available on the releases page.
From Source
go install github.com/CycloneDX/cyclonedx-gomod@latest
Building from source requires Go 1.16 or newer.
Compatibility
cyclonedx-gomod will produce BOMs for the latest version of the CycloneDX specification
supported by cyclonedx-go.
You can use the CycloneDX CLI to convert between multiple
BOM formats or specification versions.
Usage
Usage of cyclonedx-gomod:
-json
Output in JSON format
-module string
Path to Go module (default ".")
-noserial
Omit serial number
-novprefix
Omit "v" version prefix
-output string
Output path (default "-")
-serial string
Serial number (default [random UUID])
-std
Include Go standard library as component and dependency of the module
-type string
Type of the main component (default "application")
-version
Show version
In order to be able to calculate hashes, all modules have to be present in Go's module cache.
Make sure to run go mod download
before generating BOMs with cyclonedx-gomod.
Example
$ go mod tidy
$ go mod download
$ cyclonedx-gomod -output bom.xml -std
Checkout the examples
directory for examples of BOMs generated by cyclonedx-gomod.
Hashes
cyclonedx-gomod uses the same hashing algorithm Go uses for its module integrity checks.
vikyd/go-checksum
does a great job of
explaining what exactly that entails. In essence, the hash you see in a BOM should be the same as in your go.sum
file,
just in a different format. This is because the CycloneDX specification enforces hashes to be provided in hex encoding,
while Go uses base64 encoded values.
To verify a hash found in a BOM, do the following:
- Hex decode the value
- Base64 encode the value
- Prefix the value with
h1:
Given the hex encoded hash a8962d5e72515a6a5eee6ff75e5ca1aec2eb11446a1d1336931ce8c57ab2503b
, we'd end up with a
module checksum of h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
.
Now, query your checksum database
for the expected checksum and compare the values.
License
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.
Contributing
Pull requests are welcome. But please read the
CycloneDX contributing guidelines first.
It is generally expected that pull requests will include relevant tests. Tests are automatically run against all
supported Go versions for every pull request.