Support CycloneDX files for dependency tracking

CycloneDX is an open OWASP specification for Software Bill of Materials, which is another name for “list of all dependencies”. It would be handy to be able to use such format for generating dependency trees as it would make Dependency Graph feature language agnostic. This would also help in cases when there is no simple way to generate list of dependencies out of the source tree (for example C and C++ often have this problem).

I see 2 forms of supporting this file:

  • In source, for example .github/sbom.xml or just sbom.xml. This would be useful for languages that has no standardised package management and often relies on end-user installing libraries independently (for example C and C++ projects).
  • Via GitHub Actions which would allow to dynamically generate such file.

New tools that would be supported via such integration right away:

This would also help general community by:

  • Making CycloneDX more popular format. This would be general security community gain.
  • Allowing for faster integration of new languages into GitHub Dependency Graph feature as it would make it language agnostic. Adding new language to supported list would be the same as adding CycloneDX SBoM file generator.
1 Like

Hi @hauleth, welcome to the community!

Thanks for this feedback! We’re always working to improve GitHub and the GitHub Support Community, and we consider every suggestion we receive.

Would you mind submitting this through our official product feedback form so that our product team can track your request?

1 Like