Sources/PackageManagerDocs/Documentation.docc/GeneratingSBOMs.md
Create an inventory of components and dependencies using SBOM documents.
Swift Package Manager generates Software Bill of Materials (SBOM) documents for Swift packages and products.
Swift Package Manager currently supports two SBOM formats: CycloneDX and SPDX.
Generate SBOMs using either the swift build command with SBOM flags or the dedicated swift package generate-sbom subcommand.
Use the command swift build to compile your project and generate SBOMs.
Using the --sbom-spec and --target flags together causes an error.
Generating SBOMs through the Swift Build build backend factors in build-time conditionals.
swift build --build-system swiftbuild --sbom-spec cyclonedx
swift build --build-system swiftbuild --sbom-spec spdx
swift build --build-system swiftbuild --sbom-spec cyclonedx --sbom-spec spdx
The following examples generate SBOMs without using the Swift Build build backend. SBOMs generated without Swift Build may not be fully accurate, as build-time conditionals aren't applied to the SBOMs.
swift build --sbom-spec cyclonedx
swift build --sbom-spec spdx
swift build --sbom-spec cyclonedx --sbom-spec spdx
swift package generate-sbom generates an SBOM without building.
This SBOM is less accurate than an SBOM generated from swift build --build-system swiftbuild because build-time conditionals aren't applied.
For the highest accuracy, generate SBOMs using the command swift build --build-system swiftbuild.
Not specifying --sbom-spec generates all SBOM specs supported by Swift Package Manager.
swift package generate-sbom --sbom-spec cyclonedx
swift package generate-sbom --sbom-spec spdx
swift package generate-sbom --sbom-spec cyclonedx --sbom-spec spdx
swift package generate-sbom
The following flags apply to both swift build and swift package generate-sbom:
Generate an SBOM for a specific product in a package using the --product flag.
swift build --build-system swiftbuild --product MyProduct --sbom-spec cyclonedx
swift package generate-sbom --product MyProduct --sbom-spec spdx
Filter an SBOM by packages or products by using --sbom-filter <type>. By default, an SBOM includes both packages and products.
Swift Package Manager always includes the primary component, regardless of the applied filter.
swift build --build-system swiftbuild --sbom-spec cyclonedx --sbom-filter package
swift package generate-sbom --sbom-spec spdx --sbom-filter product
Swift Package Manager places generated SBOMs in <build_output>/sboms by default.
Use --sbom-output-dir to specify a different directory for generated SBOMs.
swift build --build-system swiftbuild --sbom-spec cyclonedx --sbom-output-dir <path>
swift package generate-sbom --sbom-spec spdx --sbom-output-dir <path>
By default, if SBOM generation fails, the build or package command also fails.
The --sbom-warning-only flag converts all SBOM generation errors to warnings.
swift build --build-system swiftbuild --sbom-spec cyclonedx --sbom-warning-only
swift package generate-sbom --sbom-spec spdx --sbom-warning-only
Generating SBOMs can be triggered and configured using environment variables that you set prior to running swift build or swift package generate-sbom.
When you use CLI flags, they take precedence over environment variables.
Configure the following environment variables:
SWIFTPM_BUILD_SBOM_SPECSWIFTPM_BUILD_SBOM_OUTPUT_DIRSWIFTPM_BUILD_SBOM_FILTERSWIFTPM_BUILD_SBOM_WARNING_ONLYSWIFTPM_BUILD_SBOM_SPEC=cyclonedx,spdx swift build --build-system swiftbuild
SWIFTPM_BUILD_SBOM_SPEC=cyclonedx swift package generate-sbom
When generating SBOMs using swift build and environment variables, swift build will generate SBOMS if, and only if, the SWIFTPM_BUILD_SBOM_SPEC is set.