11 releases

0.4.1 Nov 23, 2023
0.4.0 Nov 13, 2023
0.3.8 Jun 28, 2023
0.3.7 Sep 15, 2022
0.3.1 Dec 9, 2021

#69 in Cargo plugins

Download history 107/week @ 2023-08-16 112/week @ 2023-08-23 85/week @ 2023-08-30 88/week @ 2023-09-06 50/week @ 2023-09-13 114/week @ 2023-09-20 90/week @ 2023-09-27 124/week @ 2023-10-04 145/week @ 2023-10-11 129/week @ 2023-10-18 164/week @ 2023-10-25 136/week @ 2023-11-01 222/week @ 2023-11-08 141/week @ 2023-11-15 216/week @ 2023-11-22 200/week @ 2023-11-29

805 downloads per month


14K SLoC

Build Status Crates.io License Website Slack Invite Group Discussion Twitter


The CycloneDX plugin for cargo creates a custom cargo subcommand that generates a Software Bill-of-Materials (SBOM) file that describes the cargo project.

CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.



cargo install cargo-cyclonedx

Executing from cargo

cargo cyclonedx

This produces a bom.xml file adjacent to every Cargo.toml file that exists in the workspace.

Command-line options

      --manifest-path <PATH>
          Path to Cargo.toml

  -f, --format <FORMAT>
          Output BOM format: json, xml

  -v, --verbose...
          Use verbose output (-vv very verbose/build.rs output)

  -q, --quiet
          No output printed to stdout

          Activate all available features

          Do not activate the `default` feature

  -F, --features <FEATURES>
          Space or comma separated list of features to activate

      --target <TARGET>
          The target to generate the SBOM for, e.g. 'x86_64-unknown-linux-gnu'.
          Use 'all' to include dependencies for all possible targets.
          Defaults to the host target, as printed by 'rustc -vV'

          Include the target platform of the BOM in the filename. Implies --output-cdx

  -a, --all
          List all dependencies instead of only top-level ones (default)

          List only top-level dependencies

          Prepend file extension with .cdx

      --output-pattern <PATTERN>
          Prefix patterns to use for the filename: bom, package

      --output-prefix <FILENAME_PREFIX>
          Custom prefix string to use for the filename

          Reject the deprecated '/' separator for licenses, treating 'MIT/Apache-2.0' as an error

      --license-accept-named <LICENSE_ACCEPT_NAMED>
          Add license names which will not be warned about when parsing them as a SPDX expression fails

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.


~245K SLoC