datadog-sbom-generator

module
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 9, 2025 License: Apache-2.0

README

Datadog-Sbom-Generator

This repository contains the source code of Datadog's SBOM Generator. Its goal is to scan a cloned repository folder to extract dependencies which would be installed on your systems and produce a CycloneDX SBOM out of it.

If you're interested in this repository, you might be interested in Setting up Software Composition Analysis in your repositories.

How to install

  1. Go to the release page
  2. Select the version you want to use (or use the latest version)
  3. Download the asset depending on your operating system and your CPU architecture
  4. Unzip the asset

Running the scanner

To scan a repository folder and generate a SBOM, you can use this command:

datadog-sbom-generator scan -o "/tmp/sbom.json" "/path/to/directory"

For detailed documentation on all commands and options, see USAGE.md.

You can also get help directly from the command line:

datadog-sbom-generator --help
datadog-sbom-generator scan --help

Supported package managers

This tool sources all dependencies by parsing package manager files. As new package managers appears everyday, we do not support all of them. Here's a list of supported package managers:

Language Package Manager
.NET Nuget
C++ Conan
Go Golang
Java Gradle, Maven
JavaScript NPM, PNPM, Yarn
PHP Composer
Python Pdm, Pipenv, Poetry, Requirements, uv
Ruby Bundler
Rust Crates

Limitations

Datadog SBOM Generator reads package manager dependencies declaration files or their lock files. It means it can only scan dependencies which are declared in a standard and enforced way by each supported dependency manager.

We will detail here any known limitations by language.

Python

This tool only supports extracting packages from:

  • requirements*.txt
  • Pipfile.lock
  • poetry.lock
  • pdm.lock
  • uv.lock

This tool only supports enriching information from the following package manager declaration files:

  • Pipfile
  • pyproject.toml
Java
Maven
  • This tool only supports extracting packages and locations from pom.xml.
  • It can only scan pom.xml files which are stored in the same repository.
  • If a pom file defines a parent that is not stored in the repository or is an artifact hosted by an artifact registry, the scanner will try to download it from Maven central. If the scanner cannot locate it there, or cannot access it, it won't be able to resolve the version.
Gradle
  • This tool only supports extracting packages from gradle.lockfile.
  • This tool only supports package information enrichment from build.gradle and gradle/verification-metadata.xml files.
Javascript and Typescript

NPM, Yarn and PNPM have workspace support

NPM
  • This tool only supports extracting packages from package-lock.json.
  • This tool only supports package information enrichment from package.json.
Yarn
  • This tool only supports extracting packages from yarn.lock.
  • This tool only supports package information enrichment from package.json.
PNPM
  • This tool only supports extracting packages from pnpm-lock.yaml.
  • This tool only supports package information enrichment from package.json.
.Net
Nuget
  • This tool supports extracting packages from packages.lock.json and *.csproj.
  • This tool only supports package information enrichment from *.csproj when parsing packages.lock.json.
  • Inside a .csproj file:
    • Templatization is not supported.
    • Including other csproj is not supported.
Ruby
Bundler
  • This tool only supports extracting packages from Gemfile.lock.
  • This tool only supports package information enrichment from Gemfile and *.gemspec.
  • If the version of a package is defined in a variable, the location reported by the scanner will be the usage of the variable.
  • Dependencies sourced from Git repositories won't have any version reported.
C++
Conan
  • This tool only supports extracting packages from conan.lock.
Rust
Crates
  • This tool only supports extracting packages from Cargo.lock.

Contributing

Contributions are welcome! You can contribute by:

  • Reporting issues or requesting features via GitHub Issues
  • Submitting pull requests with improvements or bug fixes

For detailed information on building, testing, and developing the project, see CONTRIBUTING.md.

License

The Datadog version of datadog-sbom-generator is licensed under the Apache License, Version 2.0.

Acknowledgement

This project builds upon portions of the osv-scanner project originally developed by Google and released under the Apache License 2.0. We thank the original authors for their foundational work.

Directories

Path Synopsis
cmd
datadog-sbom-generator command
datadog-sbom-generator/parsers
datadog-sbom-generator/scan
internal
cachedregexp
customgitignore
http
json
output
output/sbom
semantic
testutility
utility/converter
utility/fileposition
utility/filereader
utility/location
utility/purl
pkg
lockfile
lockfile/cpp
lockfile/dart
lockfile/dotnet
lockfile/elixir
lockfile/golang
lockfile/internal/testutil
lockfile/java
lockfile/javascript
lockfile/parsers
lockfile/php
lockfile/python
lockfile/renv
lockfile/ruby
lockfile/rust
lockfile/system
models
reachability
reachability/codefile
reporter
Package reporter is a generated GoMock package.
 Package reporter is a generated GoMock package.
scanner

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.