Generate BOMs enriched with AI, SaaS and more using Static Code Analysis
Generate an AI BOM from source code:
xbom generate --dir /path/to/codeThis will by default generate a console statistics of different AI products used in the code base.
xbom generate --dir /path/to/code --cdx /path/to/sbom.cdx.jsonThis will generate a CycloneDX SBOM with AI components detected in the code base.
Currently, xBom supports the following programming languages:
| Language | Status |
|---|---|
| Python | ✅ Active |
xbom is currently limited to AI BOM generation only. It uses static code analysis to identify AI products used in the code base. For generating a SBOM for library dependencies, you can use vet.
xBom maintains community-driven signatures for popular SDKs, APIs and libraries in signatures/ following file naming convention - signatures/$vendor/$product/$service.yml You can generate a new signature file using command -
xbom signature new --vendor <vendor> --product <product> --service <name>This will generate a new YAML (if it doesn't exist) file in signatures/$vendor/$product/$service.yml. Edit the file to add the necessary patterns to detect the component.
Examples:
signatures/microsoft/azure/ai.yml
signatures/microsoft/office/integrations.yml