Choosing an SBOM Generation Tool
There are so many tools to build SBOMs for your application. How do you know which one to pick?
Nathan Naveen
May 21, 2025
Software Bills of Materials (SBOMs) are the foundational piece of understanding your software supply chain. By listing the components that go into your application, SBOMs give you a starting point for understanding risks — including vulnerabilities, license issues, and other supply chain risks. But how do you create those SBOMs?
The best way to generate SBOMs for your software is to create them during the build process. Many tools exist to generate SBOMs, and we’ve spent some time with the different options to help you decide.
Single-language tools
When your application and its dependencies are all written in the same programming language, SBOM generation gets much easier. Single-language SBOM generation tools are typically able to produce more reliable SBOMs, including transitive dependencies.
Some ecosystems, like Node.js have first-party SBOM generators. For Node applications, the npm-sbom command is a great choice. npm-sbom easily integrates into existing Node workflows and can produce SBOMs in either of the two most popular specifications: CycloneDX and SPDX.
CycloneDX produces language-specific tools for a variety of ecosystems, including Java (including both the maven and gradle build systems), Node.js, Python, and Golang. These tools analyze both direct and transitive dependencies, providing a thorough inventory of all components within a project. This depth of analysis enhances supply chain transparency and security. These tools are well-maintained, in contrast to some other language-specific tools we examined.
Multi-language tools
While single-language tools often have the best accuracy and depth, not all software projects are single-language efforts. An application might have a front end written in Node, a backend written in Rust, and a command line client written in Go. You need a tool with multi-language support in order to handle those applications.
cdxgen from CycloneDX is the official SBOM generation tool of the Open Worldwide Application Security Project (OWASP). It supports a wide array of programming languages, including transitive dependencies for certain ecosystems, and can generate SBOMs in the CycloneDX format. It also offers an API for SBOM generation, so it could be easier to integrate into various workflows.
syft from Anchore is another popular multi-language SBOM generator. Syft can analyze multiple ecosystems, including Python, Go, Java, JavaScript, PHP, and Rust, making it versatile for diverse projects. The tool is pretty user-friendly, with straightforward commands and clear documentation. Syft integrates well into CI/CD pipelines, facilitating automated SBOM generation during the build process. However, it does seem to sometimes miss dependencies found by other tools.
Tern is another SBOM generation tool focused specifically on container use cases. It generates SBOMs in the SPDX format for container images and Dockerfiles, providing a layer-by-layer view of the contents. These granular insights are valuable for understanding how components are introduced into the image. However, in our experience the analysis can be time-consuming. This lengthens build times. Also, it was primarily designed for containerized applications, making it of limited use for non-containerized projects.
Picking your tool
In general, it’s best to pick a language-specific tool if you have a single-language application. These tend to produce the highest-quality SBOMs, especially if it’s an official ecosystem tool. For multi-language applications, we’ve found cdxgen to be the most reliable. However, you should try several tools to see which integrate best into your workflows and give the best results for your portfolio.
The good news is that you don’t need your SBOM to be perfect. Imperfect SBOMs are better than no SBOMs. The Kusari Platform will take your SBOM and enrich it with additional information on dependencies, vulnerabilities, licenses, and more. This gives you a more complete view of your software supply chain. Sign up for a demo to see how Kusari can help you get actionable insights.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.jpg)
Previous
No older posts
Next
No newer posts
Want to learn more about Kusari?