SBOM Generator — lockfile to CycloneDX online, no install
Free online SBOM generator: converts package-lock.json, pinned requirements.txt, Cargo.lock, or go.sum into a CycloneDX 1.6 SBOM with package URLs — including all transitive dependencies, entirely in your browser.
Why generate the SBOM from a lockfile, not a manifest?
| Source | What it contains | SBOM quality |
|---|---|---|
package.json / pyproject.toml | Version ranges, direct deps only | Incomplete — fails NTIA minimum elements; this tool refuses it and says why |
package-lock.json, Cargo.lock, go.sum, pip freeze output | Exact resolved versions, full transitive tree | Complete component inventory with valid purls |
Under the EU Cyber Resilience Act (Regulation (EU) 2024/2847), manufacturers of products with digital elements must maintain a machine-readable SBOM of at least the top-level dependencies (Annex I Part II) — and in practice, vulnerability monitoring obligations make the full transitive inventory the useful artifact. Reporting obligations begin 11 September 2026; full application 11 December 2027.
Firmware with CMake/vendored C libraries, multi-ecosystem merges, VEX statements, and the CRA technical-documentation pack: that's the CRA-Ready kit →