Verified steps

Install the appropriate CycloneDX tool for your ecosystem (e.g., cyclonedx-gomod, cyclonedx-npm, cyclonedx-python)
Run the tool against your project root to produce a CycloneDX JSON or XML document
Verify each component entry contains a bom-ref, purl, and version field
Inspect the dependencies array to confirm parent-child relationships are encoded with dependsOn arrays
Validate the output against the CycloneDX schema using the official validator or a CI schema-check step
Attach the SBOM as a build artifact and record the document hash for later verification

Known gotchas

Transitive dependencies may be omitted if the tool only performs shallow analysis; confirm the tool resolves the full dependency graph before trusting the output
BOM-Ref values must be unique within the document; auto-generated refs sometimes collide when two components share the same purl
Some package managers require a prior install or lock-file step before the CycloneDX tool can enumerate all dependencies

github.com/anchore/syft · 6 steps · unrated

Scan a pre-generated CycloneDX SBOM file for known vulnerabilities using Grype and output results in JSON format for pipeline integration

github.com/anchore/grype · 5 steps · unrated

Convert an SPDX JSON SBOM to CycloneDX JSON format using the cyclonedx-cli tool and validate the output

github.com/CycloneDX/cyclonedx-cli · 5 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Generate a CycloneDX SBOM with full component and dependency graph including BOM-Ref identifiers

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes