README
¶
xBom
Generate BOMs enriched with AI, SaaS and more using Static Code Analysis
⚡ Quick Start
# Installation on macOS & Linux
brew install safedep/tap/xbom
or download a pre-built binary
# Generate BOM for your source code
xbom generate --dir /path/to/code --bom /path/to/bom.cdx.json
This will generate a CycloneDX v1.6 SBOM with AI components detected in the code base.
Supported Languages
Currently, xBom supports the following programming languages:
| Language | Status |
|---|---|
| Python | ✅ Active |
| Java | ✅ Active |
| JavaScript | 🚧 WIP |
Limitations
xbom is currently limited to AI BOM generation only. It uses static code analysis to identify AI products used in the code base. For generating a full-fledged SBOM with library dependencies, you can use vet.
Development
Signatures
xBom maintains community-driven signatures for popular SDKs, APIs and libraries in signatures/ following file naming convention - signatures/$vendor/$product/$service.yml You can generate a new signature file using command -
xbom signature new --vendor <vendor> --product <product> --service <name>
This will generate a new YAML (if it doesn't exist) file in signatures/$vendor/$product/$service.yml. Edit the file to add the necessary patterns to detect the component.
Examples:
signatures/microsoft/azure/ai.yml
signatures/microsoft/office/integrations.yml
Telemetry
xbom collects anonymous telemetry to help us understand how it is used and
improve the product. To disable telemetry, set XBOM_DISABLE_TELEMETRY environment
variable to true.
export XBOM_DISABLE_TELEMETRY=true
Documentation
¶
There is no documentation for this package.
Source Files
Directories