CycloneDX SBOM

Creates software bills of materials (SBOM) in the CycloneDX format.

Description

A Reporter that creates software bills of materials (SBOM) in the CycloneDX format. For each Project contained in the ORT result a separate SBOM is created.

Configuration

Example

Use the following syntax to configure this plugin globally as part of config.yml:

ort:
  reporter:
    reporters:
      CycloneDX:
        options:
          schemaVersion: 1.6
          dataLicense: "CC0-1.0"
          singleBom: true
          singleBomComponentName: ""
          singleBomComponentType: APPLICATION
          outputFileFormats: JSON

Options

schemaVersion

Alias: schema.version

Possible values: 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6

The CycloneDX schema version to use. Defaults to "1.6".

dataLicense

Alias: data.license

The license for the data contained in the report. Defaults to "CC0-1.0".

singleBom

Alias: single.bom

If true (the default), a single SBOM for all projects is created; if set to false, separate SBOMs are created for each project.

singleBomComponentName

Allows overriding the component name in the metadata of the generated report in [singleBom] mode. Per default, the name is derived from a single top-level project (if any) or falls back to the VCS URL. Using this property, an arbitrary name can be set.

singleBomComponentType

Possible values: APPLICATION, FRAMEWORK, LIBRARY, CONTAINER, PLATFORM, OPERATING_SYSTEM, DEVICE, DEVICE_DRIVER, FIRMWARE, FILE, MACHINE_LEARNING_MODEL, DATA, CRYPTOGRAPHIC_ASSET

Allows specifying the component type in the metadata of the generated report in [singleBom] mode.

outputFileFormats

Alias: output.file.formats

Possible values: XML, JSON

A comma-separated list of (case-insensitive) output formats to export to. Supported are XML and JSON.

Description​

Configuration​

Example​

Options​

schemaVersion​

dataLicense​

singleBom​

singleBomComponentName​

singleBomComponentType​

outputFileFormats​