/cyclonedx-go

Go library to consume and produce CycloneDX Software Bill of Materials (SBOM)

Primary LanguageGoApache License 2.0Apache-2.0

cyclonedx-go

Build Status Go Report Card Go Reference License
Website Slack Invite Group Discussion Twitter

cyclonedx-go is a Go library to consume and produce CycloneDX Software Bill of Materials (SBOM)

If you just want to create BOMs for your Go projects, see cyclonedx-gomod

Installation

go get github.com/CycloneDX/cyclonedx-go

Usage

Please refer to the module's documentation.
Also, checkout the examples to get an idea of how this library may be used.

Compatibility

cyclonedx-go versions Supported Go versions Supported CycloneDX spec
< v0.4.0 1.14+ 1.2
== v0.4.0 1.14+ 1.3
>= v0.5.0, < v0.7.0 1.15+ 1.4
>= v0.7.0, < v0.8.0 1.17+ 1.0-1.4
== v0.8.0 1.18+ 1.0-1.5
>= v0.9.0 1.20+ 1.0-1.6

We're aiming to support all officially supported Go versions, plus an additional older version.

Prior to v0.7.0, this library only supported the latest version of the CycloneDX specification. While it is generally possible to read BOMs of an older spec, writing would exclusively produce BOMs conforming to the latest supported spec.

Starting with v0.7.0, writing BOMs conforming to all previous version of the spec is also possible.

Copyright & License

CycloneDX Go is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

Contributing

Open in Gitpod

Pull requests are welcome. But please read the CycloneDX contributing guidelines first.

It is generally expected that pull requests will include relevant tests. Tests are automatically run against all supported Go versions (see Compatibility) for every pull request.