The CycloneDX module for .NET creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BoM specification that is easily created, human readable, and simple to parse. The resulting bom.xml can be used with tools such as OWASP Dependency-Track for the continuous analysis of components.
dotnet tool install --global CycloneDXIf you already have a previous version of CycloneDX installed, you can upgrade to the latest version using the following command:
dotnet tool update --global CycloneDXUsage: cyclonedx [path] -o [outputDirectory]
Arguments:
Path The path to a .sln, .csproj, .vbproj, or packages.config file or the path to a directory which will be recursively analyzed for packages.config files.
Options:
-o|--out <DIR> The directorty to write the BOM
-u|--url <URL> Alternative NuGet repository URL to v3-flatcontainer API (a trailing slash is required).
-?|-h|--help Show help information
To run the CycloneDX tool you need to specify a solution or project file. In case you pass a solution, the tool will aggregate all the projects.
The following will create a BOM from a solution and all projects defined within:
dotnet CycloneDX YourSolution.sln -o /output/pathThe following will recursively scan the directory structure for packages.config and create a BOM:
dotnet CycloneDX /path/to/project -o /output/pathPermission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.