The CycloneDX module for Go creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.
- Go >= 1.11
⚠️ It works for projects with Modules feauture enabled
go get github.com/ozonru/cyclonedx-go/cmd/cyclonedx-go
Navigate to the project directory and run cyclonedx-go
. Inside it will read output from go list -json -m all
command and print result BOM. You can specify destation for result file with option -o
.
$ cyclonedx-go
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1" serialNumber="urn:uuid:3bb55f5c-80ca-49d7-a68f-0180345a7208">
<components>
<component type="library">
<name>github.com/google/uuid</name>
<version>1.1.1</version>
<purl>pkg:golang/github.com/google/[email protected]</purl>
</component>
<component type="library">
<name>github.com/package-url/packageurl-go</name>
<version>0.1.0</version>
<purl>pkg:golang/github.com/package-url/[email protected]</purl>
</component>
</components>
</bom>
Permission to modify and redistribute is granted under the terms of the GPL-3 license.