sbom#

Software Bill of Materials (SBOM) generation for OCaml.

Generate and parse Software Bill of Materials in CycloneDX 1.6 and SPDX 2.3 formats. The library provides typed OCaml representations of each format with JSON codec support via jsont, suitable for supply-chain traceability and compliance workflows.

The shared Sbom module defines common types (hash algorithms, SPDX license expressions, Package URLs) reused across both formats. The Spdx and Cyclonedx modules provide full document-level types, constructors, equality checks, and JSON round-tripping.

Installation#

opam install sbom

Usage#

(* Build an SPDX 2.3 document and serialize to JSON *)
let doc =
  let info =
    Spdx.creation_info ~created:"2025-01-01T00:00:00Z"
      ~creators:["Tool: ocaml-sbom"] ()
  in
  let pkg =
    Spdx.package ~spdx_id:"SPDXRef-pkg"
      ~name:"my-library" ~version:"1.0.0"
      ~download_location:"https://example.com/my-library-1.0.0.tar.gz"
      ~license_declared:"ISC" ()
  in
  Spdx.document ~name:"my-sbom"
    ~namespace:"https://example.com/sbom/my-sbom"
    ~creation_info:info ~packages:[pkg] ()

let json = Spdx.to_string doc

(* Build a CycloneDX 1.6 BOM *)
let bom =
  let comp =
    Cyclonedx.component ~typ:Library ~name:"my-library" ~version:"1.0.0"
      ~purl:(Sbom.purl ~typ:"opam" ~name:"my-library" ~version:"1.0.0" ())
      ~licenses:[Sbom.license_id "ISC"] ()
  in
  Cyclonedx.bom [comp]

let json = Cyclonedx.to_string bom

API#

• Sbom -- Shared types: hash algorithms (SHA256, BLAKE3, etc.), hash values, SPDX license expressions, and Package URL (purl) construction.
• Spdx -- SPDX 2.3 document model: creation info, packages, checksums, external references, relationships, and full documents with JSON codecs.
• Cyclonedx -- CycloneDX 1.6 BOM model: components (application, library, firmware, etc.), metadata, external references, and full BOMs with JSON codecs.

References#

• SPDX 2.3 Specification
• CycloneDX 1.6 Specification
• Package URL (purl) Specification