Generating SBOMs

lynkctl generate reads a project's build system or its package-manager descriptors and emits a CycloneDX 1.6+ or SPDX 3.0+ (Experimental) SBOM. Build providers inspect C/C++ project metadata without executing the build; manifest providers read package-manager descriptors directly.

lynkctl generate [DIR] [flags]

DIR is the project root and defaults to the current directory.

Provider Selection

By default lynkctl auto-detects the provider from root-level signals. If multiple provider signals are present at the root, detection is ambiguous and lynkctl asks you to choose with --provider.

Build providers

--provider

Build system

gnu-make

GNU Make

cmake

CMake

iar

IAR Embedded Workbench for Arm

Manifest providers

--provider

Ecosystem

npm

JavaScript / npm

yarn

JavaScript (alias for the npm provider)

python

Python

go

Go modules

cargo

Rust / Cargo

gem

Ruby / RubyGems

php

PHP / Composer

nuget

.NET / NuGet

dotnet

.NET (alias for the NuGet provider)

csharp

.NET (alias for the NuGet provider)

maven

Java / Maven

gradle

Java / Gradle

--provider auto (the default) detects any of the above. See the Overview for the files each provider is detected from.

For step-by-step walkthroughs, see the How-To guides:

Quick Examples

# Auto-detect, SBOM to stdout
lynkctl generate ./myproject

# Write to a file
lynkctl generate ./myproject -o sbom.cdx.json

# Force a specific provider
lynkctl generate ./myproject --provider go -o sbom.cdx.json

# Fail the build on any warning (CI gate)
lynkctl generate ./myproject --strict -o sbom.cdx.json

Flag Reference

Every command supports --output, --quiet, --verbose, and --strict — see Overview. The most common generate flags:

Flag

Description

--provider

Choose the build system or manifest provider (default auto).

--evidence

Include evidence for how each field was determined. See Evidence & Confidence.

--reproducible

Produce deterministic output. See Reproducible SBOMs.

--overrides

Apply manual component corrections from a YAML file. See Manual Overrides.

--no-enrich

Skip enrichment; emit only build-system or manifest extraction.

Provider-specific flags — such as --cmake-build-dir, --iar-config, and --make-target — are covered in the How-To guide for each build system. Run lynkctl generate --help for the complete flag reference.

Manual Overrides

--overrides points at a YAML file. Each entry matches a component by name or by source-file path glob, and replaces its fields. Overrides resolve at confidence 1.0 and always win over auto-detected values. Empty fields are left untouched. An entry that matches no component emits an OVERRIDE_NO_MATCH diagnostic.

overrides:
  - name: openssl              # exact match on detected component name
    version: 3.0.12
    license: Apache-2.0
    link_type: static          # static | dynamic
  - path: third_party/zlib/**  # glob match against component source files
    name: zlib                 # rename the matched component
    version: 1.3
    license: Zlib

Next Steps

Understand what lynkctl emitted: Evidence & Confidence
Read the warnings and errors in a run: Diagnostics & Exit Codes
Wire lynkctl into a pipeline: Running in CI/CD

PreviousInstallation NextOSS-Index Database

Last updated 20 days ago