SBOM Generator — lockfile to CycloneDX online, no install

Free online SBOM generator: converts package-lock.json, pinned requirements.txt, Cargo.lock, or go.sum into a CycloneDX 1.6 SBOM with package URLs — including all transitive dependencies, entirely in your browser.

Why generate the SBOM from a lockfile, not a manifest?

SourceWhat it containsSBOM quality
package.json / pyproject.tomlVersion ranges, direct deps onlyIncomplete — fails NTIA minimum elements; this tool refuses it and says why
package-lock.json, Cargo.lock, go.sum, pip freeze outputExact resolved versions, full transitive treeComplete component inventory with valid purls

Under the EU Cyber Resilience Act (Regulation (EU) 2024/2847), manufacturers of products with digital elements must maintain a machine-readable SBOM of at least the top-level dependencies (Annex I Part II) — and in practice, vulnerability monitoring obligations make the full transitive inventory the useful artifact. Reporting obligations begin 11 September 2026; full application 11 December 2027.

Firmware with CMake/vendored C libraries, multi-ecosystem merges, VEX statements, and the CRA technical-documentation pack: that's the CRA-Ready kit →