Lib.rs

Development toolsCargo plugins
#sbom #bom #components #dependencies #owasp

cyclonedx-bom

CycloneDX Software Bill of Materials Library

by Amy Keibler, Steve Springett, Jeffry Hesse and 8 contributors. Co-owned by cdx-automation.

10 releases

0.4.0 Oct 27, 2022
0.3.5 Sep 15, 2022
0.3.2 Aug 3, 2022
0.3.0 Nov 29, 2021
0.1.0 Apr 11, 2020

#75 in Cargo plugins

Download history 100/week @ 2022-11-27 124/week @ 2022-12-04 107/week @ 2022-12-11 124/week @ 2022-12-18 76/week @ 2022-12-25 123/week @ 2023-01-01 167/week @ 2023-01-08 130/week @ 2023-01-15 147/week @ 2023-01-22 186/week @ 2023-01-29 147/week @ 2023-02-05 141/week @ 2023-02-12 118/week @ 2023-02-19 236/week @ 2023-02-26 98/week @ 2023-03-05 87/week @ 2023-03-12

548 downloads per month
Used in 2 crates

Apache-2.0

520KB
12K SLoC

Build Status Crates.io License Website Slack Invite Group Discussion Twitter

cyclonedx-bom

The CycloneDX library provides JSON and XML serialization and derserialization of Software Bill-of-Materials (SBOM) files.

CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.

The library is intended to enable developers to:

  • Construct SBOM documents that conform the CycloneDX specification
  • Parse and validate JSON and XML SBOM documents
  • Perform modifications to BOM documents (e.g. merging multiple BOMs using a variety of algorithms)

Usage

Read and validate an SBOM

use cyclonedx_bom::prelude::*;

let bom_json = r#"{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1
}"#;
let bom = Bom::parse_from_json_v1_3(bom_json.as_bytes()).expect("Failed to parse BOM");

let validation_result = bom.validate().expect("Failed to validate BOM");
assert_eq!(validation_result, ValidationResult::Passed);

Create and output an SBOM

use cyclonedx_bom::prelude::*;
use cyclonedx_bom::models::{
    tool::{Tool, Tools},
};

let bom = Bom {
    serial_number: Some(
        UrnUuid::new("urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79".to_string())
            .expect("Failed to create UrnUuid"),
    ),
    metadata: Some(Metadata {
        tools: Some(Tools(vec![Tool {
            name: Some(NormalizedString::new("my_tool")),
            ..Tool::default()
        }])),
        ..Metadata::default()
    }),
    ..Bom::default()
};

let mut output = Vec::<u8>::new();

bom.output_as_json_v1_3(&mut output)
    .expect("Failed to write BOM");
let output = String::from_utf8(output).expect("Failed to read output as a string");
assert_eq!(
    output,
    r#"{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "version": 1,
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "metadata": {
    "tools": [
      {
        "name": "my_tool"
      }
    ]
  }
}"#
);

Copyright & License

CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

Dependencies

~6MB
~115K SLoC