This repository contains the source code of Datadog's SBOM Generator. Its goal is to scan a cloned repository folder to extract dependencies which would be installed on your systems and produce a CycloneDX SBOM out of it.

If you're interested in this repository, you might be interested in Setting up Software Composition Analysis in your repositories.

1. Go to the release page
2. Select the version you want to use (or use the latest version)
3. Download the asset depending on your operating system and your CPU architecture
4. Unzip the asset

To scan a repository folder and generate a SBOM, you can use this command:

datadog-sbom-generator scan -o "/tmp/sbom.json" "/path/to/directory"

For detailed documentation on all commands and options, see USAGE.md.

You can also get help directly from the command line:

datadog-sbom-generator --help
datadog-sbom-generator scan --help

This tool sources all dependencies by parsing package manager files. As new package managers appears everyday, we do not support all of them. Here's a list of supported package managers:

Datadog SBOM Generator reads package manager dependencies declaration files or their lock files. It means it can only scan dependencies which are declared in a standard and enforced way by each supported dependency manager.

We will detail here any known limitations by language.

This tool only supports extracting packages from:

• requirements*.txt
• Pipfile.lock
• poetry.lock
• pdm.lock
• uv.lock

This tool only supports enriching information from the following package manager declaration files:

• Pipfile
• pyproject.toml

• This tool only supports extracting packages and locations from pom.xml.
• It can only scan pom.xml files which are stored in the same repository.
• If a pom file defines a parent that is not stored in the repository or is an artifact hosted by an artifact registry, the scanner will try to download it from Maven central. If the scanner cannot locate it there, or cannot access it, it won't be able to resolve the version.

• This tool only supports extracting packages from gradle.lockfile.
• This tool only supports package information enrichment from build.gradle and gradle/verification-metadata.xml files.

NPM, Yarn and PNPM have workspace support

• This tool only supports extracting packages from package-lock.json.
• This tool only supports package information enrichment from package.json.

• This tool only supports extracting packages from yarn.lock.
• This tool only supports package information enrichment from package.json.

• This tool only supports extracting packages from pnpm-lock.yaml.
• This tool only supports package information enrichment from package.json.

• This tool supports extracting packages from packages.lock.json and *.csproj.
• This tool only supports package information enrichment from *.csproj when parsing packages.lock.json.
• Central and build configuration discovery:
  • The tool automatically discovers Directory.Packages.props and Directory.Build.props.
  • Discovery is performed in the limit of the scanned directory.
  • Only configuration files found within the scan scope are considered; parent directories outside the scan root are intentionally ignored.

• This tool only supports extracting packages from Gemfile.lock.
• This tool only supports package information enrichment from Gemfile and *.gemspec.
• If the version of a package is defined in a variable, the location reported by the scanner will be the usage of the variable.
• Dependencies sourced from Git repositories won't have any version reported.

• This tool only supports extracting packages from conan.lock.

• This tool only supports extracting packages from Cargo.lock.
• This tool supports package information enrichment from Cargo.toml, including dependencies declared in [dependencies], [dev-dependencies], and [build-dependencies] sections.
• Workspace support is not currently available.
• Renaming dependencies is not supported.

Contributions are welcome! You can contribute by:

• Reporting issues or requesting features via GitHub Issues
• Submitting pull requests with improvements or bug fixes

For detailed information on building, testing, and developing the project, see CONTRIBUTING.md.

The Datadog version of datadog-sbom-generator is licensed under the Apache License, Version 2.0.

This project builds upon portions of the osv-scanner project originally developed by Google and released under the Apache License 2.0. We thank the original authors for their foundational work.