Modern applications rely on so much more than just open-source libraries. They often include:
- AI SDKs 🧠
- ML models 🤖
- 3rd party SaaS APIs ☁️
- Cryptographic algorithms 🔑
xbom is designed to build comprehensive bill of material (BOM) for software dependencies
beyond just 3rd party libraries, using semantic code analysis and simple YAML based signatures.
✅ Beyond Manifests - xbom builds inventory using actual evidence from your codebase
✅ Extensible Signatures - add your own signatures over community maintained repository
✅ Robust Compliance - single tool to comply with all your software supply chain compliances
✅ Multi-ecosystem support — Java, Python, Go and more coming up !
# Installation on macOS & Linux
brew install safedep/tap/xbomor download a pre-built binary
# Generate BOM for your source code
xbom generate --dir /path/to/code --bom /path/to/bom.cdx.jsonThis will generate a CycloneDX v1.6 SBOM with AI components detected in the code base.
Currently, xbom supports the following programming languages:
| Language | Status |
|---|---|
| Python | ✅ Active |
| Java | ✅ Active |
| Go | ✅ Active |
| Javascript | ✅ Active |
We generate BOMs as JSON files following CycloneDX SPEC. For a quick overview, you can view the BOM in an interactive HTML output linked in console output.
xbom maintains community driven signatures for popular SDKs, APIs and libraries in signatures/ following file naming convention - signatures/$vendor/$product/$service.yml. To add new signatures, refer contributing signatures guide.
Refer to CONTRIBUTING.md
xbom is currently limited to AI BOM generation only. It uses static code analysis to identify AI products used in the code base. For generating a more comprehensive SBOM with library dependencies, you can use vet.
xbom collects anonymous telemetry to help us understand how it is used and
improve the product. To disable telemetry, set XBOM_DISABLE_TELEMETRY environment
variable to true.
export XBOM_DISABLE_TELEMETRY=true