← Package directory
Available on winget

Install CycloneDX Generator (cdxgen)

A polyglot tool and a library for generating various Bill of Materials in CycloneDX specification.

Install with winget
winget install --id CycloneDX.cdxgen
Upgrade
winget upgrade --id CycloneDX.cdxgen
Uninstall
winget uninstall --id CycloneDX.cdxgen

About CycloneDX Generator (cdxgen)

Generate Software Bill of Materials (SBOM) for most applications and container images with a single command. Generate Operations Bill of Materials (OBOM) for Linux and Windows hosts. Integrate with any CI/CD pipeline. Automatically submit the generated BOM to your dependency track server for analysis.

What's new in 12.7.0

What's Changed Go - [go] Fix crash on empty go.mod file by @malice00 in #4179 Java / Kotlin / Scala / Clojure - [gradle] Fix incorrect SBOM with unresolved dependencies by @malice00 in #4173 - Strip scala version suffix for sbt by @prabhu in #4186 - Attempt to find the hashes and licenses for gradle. by @prabhu in #4187 - Better asar detection with header sniffing. by @prabhu in #4190 - Move gradle fixture to hosted by @prabhu in #4220 Docker / Containers / Infrastructure - Native sbom attachment by @prabhu in #4184 Breaking Changes - Support no-ignore argument by @prabhu in #4188 Full Changelog: v12.6.0...v12.7.0

Read release notes

Version history

Version Updated Notes
12.7.0 Unknown What's Changed Go - [go] Fix crash on empty go.mod file by @malice00 in #4179 Java / Kotlin / Scala / Clojure - [gradle] Fix incorrect SBOM with unresolved dependencies by @malice00 in #4173 - Strip scala version suffix...
12.6.0 Unknown This minor release includes two new features: - Support for dynamic/trace BOM generation using instrumentation. Powered by safer-exec. - New tui mode powered by cdxui. Please try with the --tui argument. What's Changed J...
12.5.1 Unknown cdxgen now supports generating AI/ML-BOM with the new -t ai type. For JavaScript and Python projects, AI-BOM would also include the exact occurrence evidence. evinse is now supported for Rust projects. Pass --profile res...
12.5.0 Unknown Highlights This release introduces go evinse with golem integration for deep, data-flow-aware analysis of go projects. The JavaScript analyzer gains type-only import detection, better Vue.js scope resolution, and new npm...
12.4.4 Unknown What's Changed - java maven improvements #4064 - component type filter #4063 - javascript improvements #4066 - pass exclude arguments to atom #4069 Full Changelog: v12.4.3...v12.4.4
12.4.3 Unknown This release includes one security fix. - [Security] harden maven shell metacharacters in #4059. Thanks, @aleff-github Full Changelog: v12.4.2...v12.4.3
12.4.2 Unknown What's Changed 🤖 AI-auto Changes - Handle object-form GitHub Actions runs-on by @Copilot in #4057 - Upgrade to dosai v3 by @prabhu in #4058 Full Changelog: v12.4.1...v12.4.2
12.4.1 Unknown Optimise SEA binaries. What's Changed 🤖 AI-auto Changes - fix: profile standalone binary dependencies by @prabhu in #4053 Full Changelog: v12.4.0...v12.4.1
12.4.0 Unknown What's Changed 🤖 AI-auto Changes - Enhance dry-run mode with symlink, spawn I/O, and archive extraction tracing by @Copilot in #3969 - package visibility, cbom and obom improvements by @prabhu in #4002 - feat: caxa v3 ba...
12.3.3 Unknown This release includes security fixes and some features. What's Changed 🤖 AI-auto Changes - Trim non-runtime files from published npm artifacts, image context, and SEA bundles by @Copilot in #3957 - Add collider.lock supp...
12.3.2 Unknown What's Changed 🤖 AI-auto Changes - Enforce CycloneDX 1.7 TLP validation for sensitive BOM properties by @Copilot in #3954 Full Changelog: v12.3.1...v12.3.2
12.3.1 Unknown cdxgen can now identify the MCP configurations and skills used in your project. It can also predict supply-chain attacks against your cargo dependencies. What's Changed 🤖 AI-auto Changes - Expand Cargo predictive audit c...
12.3.0 Unknown cdxgen v12.3.0 Full changelog: v12.2.1...v12.3.0 v12.3.0 is a big release for cdxgen. It expands the project beyond BOM generation with new capabilities for upstream dependency risk prioritisation, SPDX conversion/export...
12.2.1 Unknown This release focuses on Node.js dependency accuracy, server-side submission hardening, and CI/build maintenance. lang:node #3920 added WASM and WASI detection in the JS analyzer with test coverage updates. #3924 fixed np...
12.2.0 Unknown > The beginning of the cycle where the AI agents write more code than humans. cdxgen continues to lose weight. We have removed more dependencies such as sqlite3 and jws by rewriting code to make use of native Node module...
12.1.5 Unknown What's Changed Breaking Changes 🛠 - Couple of security fixes. Update jdk versions by @prabhu in #3808 - Audit npmrc config files and NODE_OPTIONS for code execution risks. by @prabhu in #3815 - Improve python venv detect...
12.1.4 Unknown What's Changed Breaking Changes 🛠 - Do not try to build sqlite3 for deno by @prabhu in #3801 Other Changes - typescript 6 by @prabhu in #3802 - Detect npm package name and version spoofing by @prabhu in #3805 Full Change...
12.1.3 Unknown What's Changed Breaking Changes 🛠 - [security] server hardening for safer git clones by @prabhu in #3708 - Do not make pypi calls unless necessary. by @prabhu in #3711 🤖 AI-assisted Changes - Trim sqlite3 prebuilds by @p...
12.1.2 Unknown What's Changed Breaking Changes 🛠 - go 1.24+ support with additional attributes by @prabhu in #3576 🤖 AI-assisted Changes - fix(cmake): skip empty dependency() names when parsing Meson files by @SergioChan in #3682 - fix...
12.1.1 Unknown What's Changed 🏗️ Build System - [musl binaries] Switch to 'official unofficial' nodejs builds URL by @malice00 in #3513 Other Changes - Add arguments to prevent trivy telemetry and version check (#3499) by @atwupack in...