Project

bundler-sbom

0.01
No release in over a year
bundler-sbomhsbt/bundler-sbomHomepageDocumentationSource CodeBug Tracker
Generate SPDX SBOM(Software Bill of Materials) files with Bundler
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
114,639
Stars
13
Forks
2
Watchers
2
 Releases
Current version
0.3.2
Total releases
13
First release
1980-01-02
Latest release
2025-03-06
 Issues
Open Issues
0
Closed Issues
3
Total Issues
3
Issue Closure Rate
100%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
9
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2026-03-13
Reverse Dependencies
0

 Dependencies

Runtime

bundler
>= 2.0
rexml
>= 0
 Project Readme

Bundler SBOM Plugin

Generate and analyze Software Bill of Materials (SBOM) for your Ruby projects using Bundler.

Installation

Install this plugin by running:

$ bundler plugin install bundler-sbom

Usage

Generate SBOM

To generate an SBOM file from your project's Gemfile.lock:

$ bundle sbom dump [options]

Available options:

  • -f, --format FORMAT: Output format (json or xml, default: json)
  • -s, --sbom FORMAT: SBOM specification format (spdx or cyclonedx, default: spdx)
  • --without GROUPS: Exclude groups (comma or colon separated, e.g., 'development:test' or 'development,test')

Generated files will be named according to the following pattern:

  • SPDX format: bom.json or bom.xml
  • CycloneDX format: bom-cyclonedx.json or bom-cyclonedx.xml

Examples:

$ bundle sbom dump                           # Generates SPDX format in JSON (bom.json)
$ bundle sbom dump -f xml                    # Generates SPDX format in XML (bom.xml)
$ bundle sbom dump -s cyclonedx             # Generates CycloneDX format in JSON (bom-cyclonedx.json)
$ bundle sbom dump -s cyclonedx -f xml      # Generates CycloneDX format in XML (bom-cyclonedx.xml)
$ bundle sbom dump --without development    # Excludes development group
$ bundle sbom dump --without development:test  # Excludes development and test groups

Analyze License Information

To view a summary of licenses used in your project's dependencies:

$ bundle sbom license [options]

Available options:

  • -f, --file PATH: Input SBOM file path
  • -F, --format FORMAT: Input format (json or xml)

If no options are specified, the command will automatically look for SBOM files in the following order:

  1. bom.xml (if format is xml)
  2. bom-cyclonedx.json
  3. bom-cyclonedx.xml
  4. bom.json

This command will show:

  • A count of packages using each license
  • A detailed list of packages grouped by license

Note: The license command requires that you've already generated the SBOM using bundle sbom dump.

Supported SBOM Formats

SPDX (v2.3)

SPDX (Software Package Data Exchange) is a standard format for communicating software bill of material information, including components, licenses, copyrights, and security references.

  • Spec version: SPDX 2.3
  • Output formats: JSON, XML
  • License identifiers are validated against the SPDX License List via the spdx-licenses gem. Non-SPDX licenses are output as LicenseRef- identifiers, and deprecated SPDX IDs (e.g., GPL-2.0) are mapped to their current equivalents (e.g., GPL-2.0-only).

CycloneDX (v1.4)

CycloneDX is a lightweight SBOM specification designed for use in application security contexts and supply chain component analysis.

  • Spec version: CycloneDX 1.4
  • Output formats: JSON, XML
  • SPDX license IDs are placed in the license.id field, and non-SPDX licenses use the license.name field, per the CycloneDX specification.

References