LabVIEW CycloneDX SBOM Toolkit

Cannon_Controls · ‎04-22-2026

What I have there isn’t too much of a spin off. It’s mostly a GUI for Sam’s toolkit (he did all of the heavy lifting there). I did change some of the openG functions as I was having issues as well but that was pretty minuscule. All kudos still go to Sam there.

Mads · ‎04-23-2026

FYI:

Working on generalizing the SBOM metadata bit (Generate CPE based on inputs from the projecty or user etc) I noticed that the original code gets its metadata section highlighted as erroneous by the some tools. I have fixed this in the generalized version I am working on, but is this something others have seen as well?:

Here is a comment from a parser:

The header (specifically the metadata section) of this CycloneDX 1.5 SBOM is malformed.

The issue is here:

"metadata": {
  "timestamp": "2026-04-23T08:58:37.184Z",
  "manufacture": { "name": "RAM AS&D" },
  "supplier": { "name": "RAM AS&D" },
  "component": {
    "type": "application",
    "name": "softwarename",
    "metadata": {                  // ← This is invalid
      "component": {
        "supplier": { "name": "RAM AS&D" },
        "author": { "name": "RAM AS&D" },
        "version": "4.0.9",
        "description": "Softwarename",
        "cpe": "cpe:2.3:a:ramasd:softwarename:1.2.219:*:*:*:*:*:*:*"
      }
    }
  }
}

In CycloneDX (including version 1.5), the top-level metadata.component is meant to directly describe the main/root component that the entire BOM is about. It should be a standard Component object.You cannot nest another "metadata": { "component": { ... } } inside it. That structure does not exist in the schema.

Mads Toppe
Check out our Modbus Test Master - developed in LabVIEW

Test System Security

LabVIEW CycloneDX SBOM Toolkit

Re: LabVIEW CycloneDX SBOM Toolkit

Re: LabVIEW CycloneDX SBOM Toolkit