Software bill of material or SBOM are normalized descriptions of your software, like a recipe is the normalized description of a meal. SBOMs contain the list of all direct and transitive components of the software with their respective version number and license model. They are the input of our dependency track vulnerability scanner to analyze each software of your IT infrastructure. Since SBOM contains a precise and complete description of your software, our scanner does not require any connection to your IT system.

How to retrieve or generate SBOMs
from almost any piece of software ?

To get started, you will need to generate SBOMs using one of the different tools depending on the system or application to track. Our dependency track SaaS solution gives you the single aggregate view to monitor them in a central location.

Going the extra step of automating the SBOM generation will make sure your software inventory remains always up to date and facilitate your software transparency journey. Further information regarding SBOM transfer automation can be found on this documentation page.

As retrieving SBOMs is an always evolving subject with tools appearing or disappearing over time, we will do our best to keep this page up to date and reflect current open-source community standing.

Contact us to share additional great tools you have found to facilitate the SBOM generation process, we will review and include it here to help the others.

Now let’s get practical…

Extract SBOM at build stage

Applications built through its source code should ideally generate its SBOM as an additional step within the CI/CD.

Many different tools and plugins will help you based on the underlying technology of your applications:

Or you might prefer to use cdxgen which is a multi purpose SBOM generator compatible with pretty much every programming languages, package managers and operating systems.

Extract SBOM at deployment stage

Ideally you should obtain the SBOM for any third party solution directly from its provider. Yet still many providers are not prepared for that. So while the industry is maturing in this area, you might have to generate the SBOM of third party applications yourself.

Luckily this can still be fully automated and integrated in your deployment pipeline. We will show you in this section the tools to use for this extraction.

Applications installed through package managers

SBOM for applications installed through package managers can be scanned quite easily using tools such as syft or spdx. In the below examples, we will focus on syft since it does not requires any conversion and is slightly more mature than spdx.

Linux / MacOS

The scanning can be performed on every distribution using:

# Install syft
curl -sSfL | sudo sh -s -- -b /usr/local/bin

# Scan the whole host
sudo /usr/local/bin/syft scan dir:/--output cyclonedx-json > "$HOSTNAME.sbom.json"

Or if you have docker on that machine and prefer running syft without prior installation to scan the host, you will simply run:

docker run --rm -a stdout -v /:/host:ro anchore/syft scan dir:/host --output cyclonedx-json > "$HOSTNAME.sbom.json"


Similarly for Windows, the latest Syft binary can be downloaded from the release page. Sometimes the Windows version is published after the Linux and Darwin versions, either take a previous binary release or run the Linux version in WSL or the Docker version if you prefer to have the latest without waiting.

To run the Windows version, adapt the following command to your need in an admin command prompt:

syft scan dir:"c:" --output cyclonedx-json > "%ComputerName%.sbom.json"

Virtual environments

Docker containers

If you have the docker sbom cli plugin (installed by default on Windows) you can use the command

# Replace placeholder {{container:tag}}
docker sbom {{container:tag}} --format cyclonedx-json --output {{container:tag}}.sbom.json

On Linux, you can avoid the hassle of the management of docker plugins and have access to more features by using our simple script shown below.


docker run --rm 
  -v /:/host:ro 
  -v ${PWD}:/out 
  -v /var/lib/docker/volumes:/var/lib/docker/volumes:ro 
  -v /var/run/docker.sock:/var/run/docker.sock:ro 
  -a stdin -a stdout -a stderr 
  -i anchore/syft "$@"

It can be used in many different ways (check all possibilities using --help). For example, to scan existing images you would use:

# Replace placeholder {{container:tag}} scan registry:{{container:tag}} --format cyclonedx-json > {{container:tag}}.sbom.json

Operating system / Virtual Machine / Other applications

Applications installed manually including close source applications are more challenging to scan as of now. You can scan for applications installed through package managers using syft as shown in the section above or you might possibly cover additional scenarios with cdxgen.

# Scan only OS packages with syft (eg: debian)
syft scan dir:/var/lib/dpkg --output cyclonedx-json > "$HOSTNAME.sbom.json"

# Scan everything with syft (can be slow)
syft scan dir:/ --output cyclonedx-json > "$HOSTNAME.sbom.json"

Binaries / Mobile App

Analyzing binaries, such as mobile app packages (APK for Android and IPA for iOS), poses significant challenges. However, it remains a crucial\ practice, particularly in cases where the vendor has not yet furnished a Software Bill of Materials (SBOM). cve-bin-tool might come handy to extract some informations for those use cases:

cve-bin-tool --sbom-type cyclonedx --sbom-output application.sbom.json Application.apk


The community provides many different tools to extract and generate SBOM. Hopefully with this page we helped you select the most appropriate ones for your case.

SBOMs are already the standard when delivering software to the US government. We trust that this practice will also develop around the world and that SBOM will become a standard delivery artifact that helps the industry improve the supply chain transparency.

Generating SBOM is only the first step of your journey, the cloud solution Dependency Track SaaS based on the open-source solution of the same name is the most versatile and enterprise ready solution to organize and monitor them centrally.

To read next, we suggest our SBOM transfer automation page.

Still unsure how to extract SBOM ?
Get in touch today !

Contact us

Copyright © 2024 LLC. All rights reserved.

Cookie-free website powered using renewable energy