SBOMgen is a free, open-source tool for generating CycloneDX 1.6 Software Bills of Materials (SBOMs) for Delphi applications. It analyses the MAP file produced by the Delphi linker, cross-references detected units against the Delphi IDE library paths and a maintained metadata catalog, and produces a standards-conformant SBOM in CycloneDX 1.6 JSON format (ECMA-424, 1st Edition).
SBOMgen is designed with legacy Delphi codebases in mind. Generating an SBOM for a project that has been in production for years is often more urgent than for a new one, and SBOMgen works with MAP files from any Delphi version it can detect in the Windows registry.
- CycloneDX 1.6 JSON output, validated against the official schema
- Detects Delphi RTL, VCL, FireDAC, Indy, and other bundled components automatically
- Identifies GetIt-installed packages via the CatalogRepository
- Maintained metadata catalog with built-in entries for common Delphi libraries
- Catalog-driven unit membership and prefix-based package resolution
- Per-project metadata editing with user-edit protection against catalog updates
- Optional CycloneDX CLI validation integration
- Supports multiple projects and multiple installed Delphi versions
- Delphi 12.3 Athens or Delphi 13 Florence — confirmed working
- Earlier versions including XE4 and later should work but have not been fully tested. Building on versions earlier than XE4 may require minor changes to the source. Community feedback on older compiler support is welcome.
The following libraries are added to the Delphi library search path as source. No installer is required — download and add the source folders to your library path in Tools → Options → Language → Delphi → Library.
| Library | Version tested | License | Source |
|---|---|---|---|
| Spring4D | 2.0.1 | Apache 2.0 | Bitbucket |
| Fundamentals5 | 5.0 | BSD 2-Clause | GitHub |
The following components must be installed into the Delphi IDE before building.
| Component | Version tested | License | Source |
|---|---|---|---|
| Konopka Signature VCL Controls (KSVC) | 8.0.1 | Proprietary | GetIt |
| VirtualTreeView | 8.3 | MPL 1.1 / LGPL | GitHub |
| SynEdit | 2025.03 | MPL 1.1 | GetIt |
| SVGIconImageList | 2.4.0 | Apache 2.0 | GetIt / GitHub |
| MarkdownHelpViewer | 2.4.0 | Apache 2.0 | GitHub |
Note on MarkdownHelpViewer: MarkdownHelpViewer bundles Image32, Clipper, and its own copy of SVGIconImageList as source — no separate installation of those is required. However, SVGIconImageList must also be installed separately via GetIt or GitHub before installing MarkdownHelpViewer. This is because MarkdownHelpViewer's design-time packages require the FrameViewer component, which is provided by the SVGIconImageList installation. Install SVGIconImageList first, then MarkdownHelpViewer.
Note on in-application help: In-application help requires the
MARKDOWN_HELPconditional define to be added to Project Options → Delphi Compiler → Conditional Defines in all configurations. Without it, SBOMgen builds and runs normally — help is available in theManual\folder as a PDF. See the header comment inf_Main.pasandf_HelpViewer.pasfor details.
- Windows — SBOMgen reads the Windows registry to detect installed Delphi versions and requires Windows for all registry and file system operations.
- The CycloneDX CLI tool is optional but recommended for SBOM validation.
Download the standalone
cyclonedx-win-x64.exefrom https://github.com/CycloneDX/cyclonedx-cli/releases.
- Clone or download the repository.
- Ensure all third-party libraries listed above are installed and on the Delphi library search path.
- Open
SBOMgen.dprojin the Delphi IDE. - Select Build → Build All.
- The executable will be produced in the
Win32\ReleaseorWin64\Releasefolder depending on your target platform.
The Tests\ folder contains a separate DUnitX test project SBOMgenTests.dproj.
Build and run it independently to verify the unit test suite — 159 tests are
expected to pass.
See the SBOMgen User Manual in the Manual\ folder for full documentation,
including:
- What an SBOM is and why it matters
- How to configure a project
- How to work with the metadata catalog
- How to validate generated SBOMs
SBOMgen/
├── *.pas, *.dfm Source files
├── SBOMgen.dpr/.dproj Project files
├── Data/ SPDX license data
├── Help/ In-application help content
├── Manual/ User manual (PDF)
├── Tests/ DUnitX test project and fixtures
└── SBOM Test/ Sample MAP file and generated SBOM examples
DX.Comply by Olaf Monien is a complementary Delphi SBOM tool that operates as a RAD Studio IDE plugin and command-line tool. DX.Comply resolves every linked unit individually to its DCU or BPL file with a SHA-256 hash. SBOMgen and DX.Comply serve different workflows — DX.Comply for automated unit-level scanning, SBOMgen for curated package-level metadata management.
SBOMgen is released under the MIT License. See the LICENSE file for the
full license text.
SBOMgen is provided as-is, without warranty of any kind. You build and use this software entirely at your own risk. The authors make no representations or warranties of any kind, express or implied, regarding the correctness, completeness, reliability, or suitability of the software or the SBOMs it produces for any particular purpose, including regulatory compliance.
SBOMs generated by SBOMgen reflect the tool's analysis of the provided MAP file and metadata catalog at the time of generation. It is the user's responsibility to review and verify the accuracy of all generated output before relying on it for compliance, legal, or security purposes.
This software is not legal advice. If you have questions about SBOM requirements under specific regulations such as the EU Cyber Resilience Act or US Executive Order 14028, consult appropriate legal counsel.
Contributions, bug reports, and feedback are welcome via the GitHub issue tracker. Community testing on older Delphi versions is particularly valuable — if you successfully build and run SBOMgen on a version not listed above, please open an issue or pull request to update the documentation.
William Meyer — Embarcadero MVP