The CycloneDX module for .NET creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.
This module runs on .NET Core 2.1 and .NET Core 3.1.
CycloneDX for .NET is distributed via NuGet and Docker Hub.
dotnet tool install --global CycloneDXIf you already have a previous version of CycloneDX installed, you can upgrade to the latest version using the following command:
dotnet tool update --global CycloneDXdotnet CycloneDX <path> -o <OUTPUT_DIRECTORY>docker run cyclonedx/cyclonedx-dotnet [OPTIONS] <path>Usage: dotnet CycloneDX [options] <path>
Arguments:
path The path to a .sln, .csproj, .vbproj, or packages.config file or the path to a directory which will be recursively analyzed for packages.config files
Options:
-o|--out <OUTPUT_DIRECTORY> The directory to write the BOM
-j|--json Produce a JSON BOM instead of XML
-d|--exclude-dev Exclude development dependencies from the BOM
-u|--url <BASE_URL> Alternative NuGet repository URL to v3-flatcontainer API (a trailing slash is required)
-r|--recursive To be used with a single project file, it will recursively scan project references of the supplied .csproj
-ns|--no-serial-number Optionally omit the serial number from the resulting BOM
-gu|--github-username <GITHUB_USERNAME> Optionally provide a GitHub username for license resolution. If set you also need to provide a GitHub personal access token
-gt|--github-token <GITHUB_TOKEN> Optionally provide a GitHub personal access token for license resolution. If set you also need to provide a GitHub username
-gbt|--github-bearer-token <GITHUB_BEARER_TOKEN> Optionally provide a GitHub bearer token for license resolution. This is useful in GitHub actions
-dgl|--disable-github-licenses Optionally disable GitHub license resolution
-?|-h|--help Show help information
To run the CycloneDX tool you need to specify a solution or project file. In case you pass a solution, the tool will aggregate all the projects.
The following will create a BOM from a solution and all projects defined within:
dotnet CycloneDX YourSolution.sln -o /output/pathThe following will recursively scan the directory structure for packages.config and create a BOM:
dotnet CycloneDX /path/to/project -o /output/pathThe following will recursively scan the project references of the supplied .csproj file, and create a BOM of all package references from all included projects:
dotnet CycloneDX /path/to/project/MyProject.csproj -o /output/path -rSPDX license IDs can be resolved for packages that reference a supported license file in a GitHub repository.
The GitHub license API has an unauthenticated call limit of 60 calls per hour. To ensure consistent output if a rate limit is exceeded BOM generation will fail. If you start hitting rate limits you will need to generate a personal access token and provide this, and your username, when running CycloneDX.
To generate a token go to
Personal access tokens under
Settings / Developer setings. From there select the option to
Generate new token. No special token
permissions are required.
Due to current limitations in the GitHub API licenses will only be resolved for master branch license references.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.
Pull requests are welcome. But please read the CycloneDX contributing guidelines first.
To build and test the solution locally you should have .NET core 2.1 and 3.1
installed. Standard commands like dotnet build and dotnet test work.
It is generally expected that pull requests will include relevant tests. Tests are automatically run on Windows, MacOS and Linux for every pull request. And build warnings will break the build.
If you are having trouble debugging a test that is failing for a platform you don't have access to please us know.