Generate Software Bills of Materials for your Delphi projects — with one click.
Built for Delphi developers. Designed for compliance. Ready for the EU Cyber Resilience Act.
The EU Cyber Resilience Act (CRA) requires software vendors to document what is inside their products. Full compliance is mandatory by December 2027.
DX.Comply generates that documentation — a Software Bill of Materials (SBOM) — directly from your RAD Studio project in one click, together with human-readable HTML and Markdown reports for audit and review workflows.
You generate it. You archive it. You never have to submit it anywhere.
SBOM = a structured list of every component, file, and dependency in your software, including versions and checksums. Think of it as the ingredient list on a food label — for your application.
Generating an SBOM for the Embarcadero AlienInvasion sample project:
| Build Confirmation | Progress & MAP Build | HTML Compliance Report |
|---|---|---|
 |
 |
 |
See it for yourself: Full example SBOM (JSON) · Full example HTML report — generated from the Embarcadero AlienInvasion sample project.
DX.Comply produces standards-compliant CycloneDX 1.5 SBOMs. Each linked unit is emitted as a library component with SHA-256 hash and origin classification:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"metadata": {
"component": {
"type": "application",
"name": "AlienInvasion",
"version": "1.0.0.0"
}
},
"components": [
{
"type": "application",
"name": "AlienInvasion.exe",
"hashes": [
{ "alg": "SHA-256", "content": "d0be8d3ad469b93c...f6cee44" }
]
},
{
"type": "library",
"name": "System.SysUtils.dcu",
"hashes": [
{ "alg": "SHA-256", "content": "a1c9f3e7b2d4..." }
],
"properties": [
{ "name": "net.developer-experts.dx-comply:origin", "value": "Embarcadero RTL" },
{ "name": "net.developer-experts.dx-comply:evidence", "value": "DCU" },
{ "name": "net.developer-experts.dx-comply:confidence", "value": "Strong" }
]
}
]
}Run the Inno Setup installer from the Releases page. It registers the IDE plugin and CLI tool automatically.
- Open
DX.Comply.groupprojin RAD Studio. - Build and install the
DX.Comply.IDEdesign-time package. - Optionally build the
DX.Comply.CLIconsole application for command-line / CI use.
- Install the
DX.Comply.IDEdesign-time package. - Open your project in RAD Studio.
- Choose Project > DX.Comply > Generate documentation... from the main menu.
- In the confirmation dialog, select the build configuration to use for MAP generation (the active IDE configuration is pre-selected). DX.Comply compiles the project via OTA with detailed MAP output, scans all evidence, and produces the SBOM.
- Done. Your
bom.json,bom.report.html, andbom.report.mdare in your project folder.
The CLI tool expects an existing detailed MAP file. Build your project first with DCC_MapFile=3, then run:
dxcomply --project=MyApp.dproj --format=cyclonedx-json --output=bom.json --no-pauseIf the MAP file is in a non-standard directory, use --map-dir:
dxcomply --project=MyApp.dproj --map-dir=build/Win32/Release --output=bom.json --no-pauseSee docs/CI-Integration.md for GitHub Actions examples and CI configuration.
DX.Comply can generate SBOMs for projects built with any Delphi version — including Delphi 7 — as long as a detailed MAP file is available. No IDE plugin is required.
- Open your project in the legacy Delphi IDE.
- Go to Project > Options > Linker and set Map file to Detailed.
- Build your project — this produces a
.mapfile in the output directory. - Run the CLI tool against the
.dproj(or.doffor very old versions):
dxcomply --project=MyApp.dproj --output=bom.json --no-pauseTip: You can automate this with a Post-Build Event in a dedicated build configuration. Create a configuration named e.g.
SBOMthat enables detailed MAP output and runsdxcomplyas a post-build step. This way, a single build generates both your application and its SBOM.
See docs/LegacySupport.md for details.
DX.Comply always performs a Deep-Evidence analysis based on the compiler-generated MAP file. This approach identifies every linked unit (PAS/DCU) with full dependency resolution, SHA-256 hashes, and origin classification. Whether the MAP file is generated automatically by the IDE plugin or provided manually for CLI usage makes no difference to the analysis quality.
| Evidence source | Details |
|---|---|
| Project metadata | Name, version, platform, configuration, DllSuffix |
| MAP file analysis | Extracts all linked units from segment entries and line-number sections |
| Unit resolution | Resolves each unit to its source/DCU/BPL file with SHA-256 hash |
| Origin classification | Classifies each unit as Embarcadero RTL, VCL, FMX, Local project, or Third party |
| Build artefacts | Scans output directory for .exe, .dll, .bpl, .dcp with SHA-256 fingerprints |
| Compiler evidence | Parses .cfg and .rsp files for effective search paths and unit scopes |
| Format | Version | Description |
|---|---|---|
| CycloneDX JSON | 1.5 | Default — standard SBOM format for audits and tooling |
| CycloneDX XML | 1.5 | XML variant for XML-based toolchains |
| SPDX JSON | 2.3 | Linux Foundation ecosystem |
| HTML Report | — | Human-readable compliance report with unit evidence, artefacts, validation |
| Markdown Report | — | Lightweight companion for code review and archival |
All generated SBOMs are validated against the official schema before being written to disk. CycloneDX JSON output passes check-jsonschema validation against the official CycloneDX 1.5 JSON schema.
Add a .dxcomply.json to your project folder:
{
"output": "bom.json",
"format": "cyclonedx-json",
"include": ["build/**"],
"exclude": ["build/**/Debug/**", "**/*.dcu"],
"product": {
"name": "My Application",
"version": "2.1.0",
"supplier": "Acme GmbH"
},
"report": {
"enabled": true,
"format": "both"
}
}Regulation (EU) 2024/2847 entered into force on 10 December 2024. If you place software on the EU market, you must:
- Document software components in your product (SBOM)
- Manage and disclose vulnerabilities
- Provide security updates throughout the support lifecycle
| Date | Milestone |
|---|---|
| 11 Sep 2026 | Vulnerability and incident reporting obligations begin |
| 11 Dec 2027 | Full CRA compliance mandatory for all products on the EU market |
The CRA requires (Annex I, Part II):
- Machine-readable format (CycloneDX or SPDX)
- Coverage of at least top-level dependencies
- One SBOM per software version
You do NOT submit the SBOM anywhere. You generate it per release, archive it, and make it available only if a market surveillance authority formally requests it.
DX.Comply handles the SBOM obligation. Other CRA requirements (secure-by-design, vulnerability management, incident reporting) are outside its scope.
- Archive it with each release — store
bom.jsonalongside your release artefacts. - Retain for at least 10 years — required by CRA Article 13.
- Be ready to hand it over if asked — market surveillance authorities can request it (Article 52).
- Sharing with customers is optional — your choice (Annex II, Part I, point 9).
| Mode | Requirement |
|---|---|
| IDE plugin | RAD Studio / Delphi 11 Alexandria or newer |
| CLI tool | Any Delphi version (requires a pre-built detailed MAP file) |
| Platform | Windows build host |
No internet connection required — all processing is local.
| Document | Description |
|---|---|
| Architecture | Engine pipeline, component overview, unit origin classification |
| CI Integration | Command-line usage, GitHub Actions examples, CI configuration |
| Legacy Support | Using DX.Comply with Delphi 7 and other legacy versions |
| Example SBOM (JSON) | Full CycloneDX 1.5 SBOM generated from the AlienInvasion sample |
| Example HTML Report | Human-readable compliance report for the same project |
Open source under the MIT License. Copyright 2026 Olaf Monien.
| Source | Link |
|---|---|
| Regulation (EU) 2024/2847 — full text | EUR-Lex |
| EC Digital Strategy — CRA overview | EC |
| ENISA — SBOM Landscape Analysis | ENISA |
DX.Comply is developed by Olaf Monien as part of the DX component suite.
