The cve-bin-tool can be used to generate a software bill of materials (SBOM) file, which is a file that contains a list of all components detected by the scan in a standardized format.
The cve-bin-tool generates SBOMs in the following formats
| SBOM Type | Format | Filename extension |
|---|---|---|
| SPDX | TagValue | .spdx |
| SPDX | JSON | .spdx.json |
| SPDX | YAML | .spdx.yaml |
| SPDX | YAML | .spdx.yml |
| CycloneDX | JSON | .json |
Details of the formats for each of the supported SBOM formats are available for SPDX and CycloneDX
To generate a SBOM, run the tool as shown. See the examples below for details about optional arguments and default values used.
cve-bin-tool --sbom-type <sbom type> --sbom-format <sbom format> --sbom-output <sbom filename>
Generate a SPDX SBOM in TagValue format with the name sbom.spdx
cve-bin-tool --sbom-type spdx --sbom-format tag --sbom-output sbom.spdx .
If the --sbom-type option is omitted, a SBOM is generated in the SPDX type. If the --sbom-format option is omitted, the format is inferred from the extension of the --sbom-output filename. The above and below examples are equivalent.
cve-bin-tool --sbom-output sbom.spdx
Generate a SPDX SBOM in YAML format with the name sbom.yml
cve-bin-tool --sbom-type spdx --sbom-format yaml --sbom-output sbom.yml
Generate a CycloneDX SBOM in JSON format with the name sbom.json. Note that CycloneDX SBOMs are only generated in JSON, so the --sbom-format option is unnecessary.
cve-bin-tool --sbom-type cyclonedx --sbom-output sbom.json