Sbom command

Generates a Software Bill of Materials (SBOM) for a project or project group. By default the command emits CycloneDX 1.5 JSON for each enabled platform, SPDX 2.3 JSON is also available.

DPM packages are detected automatically. For non-DPM libraries the command relies on linker MAP files - make sure Linking > Map file = Detailed is enabled in the build configuration you point at, otherwise non-DPM dependencies will be missing from the SBOM.

Usage

bat

dpm sbom [project] [options]

[project] is a .dproj or .groupproj and defaults to the current directory.

Options

Option	Description
outdir (-o)	Output directory for SBOM files. Defaults to the project directory.
format (-f)	Comma-separated list of formats: `cyclonedx` , `spdx` , `html` , `markdown` . Aliases: `both` = `cyclonedx,spdx` ; `all` = every format. Default: `cyclonedx,spdx` .
platforms (-p)	Comma-separated platforms to generate for. Default: all enabled in the project.
config (-c)	Build configuration to use when locating the MAP file. Default: `Release` , falling back to `Debug` , then the first available.
map (-m)	Path to a specific MAP file. Overrides auto-detection. Only valid for single-platform invocations.
no-runtime	Exclude the Delphi RTL / VCL / FMX component from the SBOM (included by default).
strict	Fail with a non-zero exit code if a MAP file is missing. Default: warn and emit a partial SBOM.
per-project	When the input is a `.groupproj` , emit one SBOM per dproj per platform (legacy behaviour). Default: one aggregated SBOM per platform spanning the whole group.

Examples

bat

dpm sbom .\MyProject.dproj

dpm sbom .\MyProject.dproj -outdir=c:\temp -format=cyclonedx

dpm sbom .\MyProject.dproj -format=html,markdown

dpm sbom .\MyProject.dproj -format=all

dpm sbom .\MyProject.dproj -platforms=Win32,Win64 -config=Release

dpm sbom .\MySolution.groupproj

dpm sbom .\MySolution.groupproj -per-project