SBOMgen
Creating SBOMs from Ruby Projects
Introduction
This tutorial illustrates how to produce an SBOM from Ruby projects using the Cyclonedx-Ruby-Gem CLI.
Requirements
- Ruby
- Gem Dependency Manager
Installation
Through Gem
Install CycloneDX-Ruby with the command:
gem install cyclonedx-ruby
Through Source
Clone, build and install the CycloneDX-Ruby repository through the following commands:
git clone https://github.com/CycloneDX/cyclonedx-ruby-gem.git
gem build cyclonedx-ruby.gemspec
gem install cyclonedx-ruby-<version-number>.gem
Verify installation with the command:
cyclonedx-ruby -h
You should see the resultant output:
Usage: cyclonedx-ruby [options]
-v, --[no-]verbose Run verbosely
-p, --path path (Required) Path to Ruby project directory
-o, --output bom_file_path (Optional) Path to output the bom.xml file to
-f, --format bom_output_format (Optional) Output format for bom. Currently support xml (default) and json.
-h, --help Show help message
Usage
Navigate to a Ruby project.
Run the command:
cyclonedx-ruby -p .
A “bom.xml” file should appear in the same directory.
Alternatively, the -p and -o flags can be used to select a project folder path, and output the SBOM to a custom file path, respectively.
Notes
-
Certain metadata components of the produced SBOM may be missing, such as SBOM type, Package type, Name and Version.
-
The version built from source (1.2.0) appears to be more up to date than the version available on RubyGem (1.1.0), with features like
bom_output_formatmissing from the latter.
Example SBOM
This section illustrates CycloneDX JSON and XML SBOMs of the Cocoapods codebase, created by CycloneDX-Ruby-Gem.
Cocoapods (json)
Cocoapods (xml)
References
-
CycloneDX. (2023). CycloneDX-Ruby-Gem. https://github.com/CycloneDX/cyclonedx-ruby-gem
-
CocoaPods. (n.d.). GitHub - CocoaPods/CocoaPods: The Cocoa Dependency Manager. GitHub. https://github.com/CocoaPods/CocoaPods