Supported ecosystems¶
A hands-on guide using the per-language example projects under examples/. Run each example to see the SBOM output right away.
Example directory structure¶
examples/
├── java-maven/ # Java + Maven
├── java-gradle/ # Java + Gradle
├── nodejs/ # Node.js + npm
├── python/ # Python + pip / Poetry
├── go/ # Go modules
├── ruby/ # Ruby + Bundler
├── php/ # PHP + Composer
├── rust/ # Rust + Cargo
├── dotnet/ # .NET + NuGet
├── swift/ # Swift + SPM (Swift Package Manager)
└── docker/ # Docker image analysis
Common run steps¶
Every source-code example runs the same way from the repository root: point --target at the example folder and pick a project name. The results are saved in a {Project}_{Version}/ subfolder. For the Node.js example:
# 1. Generate the SBOM (from the repository root)
./scripts/scan-sbom.sh --project "NodeExample" --version "1.0.0" --target examples/nodejs --generate-only
# 2. Check the result
jq '.components | length' NodeExample_1.0.0/NodeExample_1.0.0_bom.json
The sections below give the ready-to-paste command for each language.
Java (Maven)¶
./scripts/scan-sbom.sh --project "JavaMavenExample" --version "1.0.0" --target examples/java-maven --generate-only
Detected file: pom.xml
<!-- example pom.xml -->
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>3.2.0</version>
</dependency>
</dependencies>
Java (Gradle)¶
./scripts/scan-sbom.sh --project "JavaGradleExample" --version "1.0.0" --target examples/java-gradle --generate-only
Detected file: build.gradle or build.gradle.kts
Node.js¶
./scripts/scan-sbom.sh --project "NodeExample" --version "1.0.0" --target examples/nodejs --generate-only
Detected file: package.json + package-lock.json (or yarn.lock, pnpm-lock.yaml)
Note: a lock file pins the exact installed versions. Dependencies are still captured from
package.jsonwithout one, but committing a lock file makes the result reproducible.
Python¶
./scripts/scan-sbom.sh --project "PythonExample" --version "1.0.0" --target examples/python --generate-only
Detected file: requirements.txt, or pyproject.toml + poetry.lock
Go¶
Detected file: go.mod + go.sum
Note:
go.sumis required for accurate version hashes. Rungo mod tidyfirst, then try again.
Ruby¶
./scripts/scan-sbom.sh --project "RubyExample" --version "1.0.0" --target examples/ruby --generate-only
Detected file: Gemfile.lock
PHP¶
./scripts/scan-sbom.sh --project "PHPExample" --version "1.0.0" --target examples/php --generate-only
Detected file: composer.lock
Rust¶
./scripts/scan-sbom.sh --project "RustExample" --version "1.0.0" --target examples/rust --generate-only
Detected file: Cargo.lock
.NET¶
./scripts/scan-sbom.sh --project "DotNetExample" --version "1.0.0" --target examples/dotnet --generate-only
Detected file: *.csproj + packages.lock.json
Swift / iOS¶
./scripts/scan-sbom.sh --project "SwiftExample" --version "1.0.0" --target examples/swift --generate-only
Detected files: Package.swift (+ Package.resolved) for Swift Package Manager, or Podfile.lock for CocoaPods.
Dependencies are read from the committed lockfiles, so include them in the scan:
- Swift Package Manager:
Package.resolved(runswift package resolvefirst if it is missing). - CocoaPods:
Podfile.lock(produced bypod install). BomLens parses it directly, so the scanning machine needs neither macOS nor a CocoaPods install.
Note: UIKit and other Xcode-driven platform dependencies require macOS and are not resolved in the Linux scanner.
Docker image analysis¶
Run Docker image analysis from the project root.
# Analyze a public image
./scripts/scan-sbom.sh \
--project "NginxSBOM" \
--version "1.25" \
--target "nginx:1.25-alpine" \
--generate-only
# Ubuntu-based image
./scripts/scan-sbom.sh \
--project "UbuntuSBOM" \
--version "22.04" \
--target "ubuntu:22.04" \
--generate-only
Files required for detection¶
If source analysis finds no dependencies, check for the lock file below.
| Language | Required file |
|---|---|
| Java (Maven) | pom.xml |
| Java (Gradle) | build.gradle or build.gradle.kts |
| Node.js | package.json + package-lock.json or yarn.lock |
| Python | requirements.txt or pyproject.toml + poetry.lock |
| Go | go.mod + go.sum |
| Rust | Cargo.lock |
| Ruby | Gemfile.lock |
| PHP | composer.lock |
| .NET | *.csproj + packages.lock.json |
Comparing results¶
The PURL (Package URL) format in the generated SBOM differs by language.
| Language | PURL example |
|---|---|
| Java | pkg:maven/org.springframework.boot/spring-boot@3.2.0 |
| Node.js | pkg:npm/express@4.18.2 |
| Python | pkg:pypi/requests@2.31.0 |
| Go | pkg:golang/github.com/gin-gonic/gin@v1.9.1 |
| Rust | pkg:cargo/serde@1.0.193 |
| Ruby | pkg:gem/rails@7.1.2 |
| PHP | pkg:composer/laravel/laravel@10.3.3 |
| .NET | pkg:nuget/Newtonsoft.Json@13.0.3 |
| Swift | pkg:swift/github.com/apple/swift-log@1.5.0 |
| Docker (OS packages) | pkg:deb/debian/curl@7.88.1 |
Troubleshooting¶
If you run into trouble running an example, see the troubleshooting section of the CLI reference.
Related: First scan | CLI reference