- Overview
- Maven-Based Projects
- Gradle-Based Projects
- Advanced Configuration
- CI/CD Integration
- References
This guide explains how to generate Software Bill of Materials (SBOM) for Java applications using CycloneDX plugins for both Maven and Gradle build systems. An SBOM provides a detailed inventory of all components, libraries, and dependencies used in your software project, which is essential for security and compliance.
Add the CycloneDX Maven plugin to your pom.xml
:
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<projectType>application</projectType>
<outputFormat>json</outputFormat>
<outputName>application.cdx</outputName>
<schemaVersion>1.6</schemaVersion>
</configuration>
</plugin>
Option | Description | Default |
---|---|---|
projectType |
Specifies the type of project (application or library ) |
application |
outputFormat |
Format of the SBOM (json or xml ) |
json |
outputName |
Name of the output SBOM file | application.cdx |
schemaVersion |
CycloneDX schema version | 1.6 |
To generate the SBOM, run:
mvn cyclonedx:makeAggregateBom
The SBOM will be generated in the target
directory with the specified output name.
Add the CycloneDX Gradle plugin to your build.gradle
or build.gradle.kts
:
plugins {
id 'org.cyclonedx.bom' version '2.2.0'
}
tasks.named('cyclonedxBom') {
schemaVersion = "1.6"
includeConfigs = ["runtimeClasspath", "compileClasspath"]
skipProjects = [rootProject.name]
projectType = "application"
includeBomSerialNumber = true
includeLicenseText = false
destination = file("build/reports")
outputName = "application.cdx"
outputFormat = "json"
}
Option | Description | Default |
---|---|---|
schemaVersion |
CycloneDX schema version | 1.6 |
includeConfigs |
List of configurations to include | ["runtimeClasspath"] |
skipProjects |
Projects to exclude | [] |
projectType |
Type of project | application |
includeBomSerialNumber |
Include unique identifier | true |
includeLicenseText |
Include full license text | false |
destination |
Output directory | build/reports |
outputName |
Output file name | application.cdx |
outputFormat |
Output format | json |
To generate the SBOM, run:
./gradlew cyclonedxBom
The SBOM will be generated in the specified destination directory (default: build/reports
).
Both plugins support adding additional metadata to the SBOM:
<configuration>
<organizationalEntity>
<name>Your Organization</name>
<url>https://your-org.com</url>
<contact>
<name>Contact Name</name>
<email>contact@your-org.com</email>
</contact>
</organizationalEntity>
</configuration>
cyclonedxBom {
organizationalEntity { oe ->
oe.name = 'Your Organization'
oe.url = ['https://your-org.com']
oe.addContact(organizationalContact)
}
}
You can specify license information for your project:
<configuration>
<licenseChoice>
<license>
<name>Apache License 2.0</name>
<url>https://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenseChoice>
</configuration>
cyclonedxBom {
licenseChoice { lc ->
def license = new License()
license.setName("Apache License 2.0")
license.setUrl("https://www.apache.org/licenses/LICENSE-2.0")
lc.addLicense(license)
}
}
The following table shows the compatibility between plugin versions and CycloneDX schema versions:
Plugin Version | Schema Version | Supported Formats |
---|---|---|
2.x.x | 1.6 | XML, JSON |
1.10.x | 1.6 | XML, JSON |
1.9.x | 1.6 | XML, JSON |
1.8.x | 1.5 | XML, JSON |
1.7.x | 1.4 | XML, JSON |
Both plugins can be easily integrated into CI/CD pipelines. For example, in GitHub Actions:
- name: Generate SBOM (Maven)
run: mvn cyclonedx:makeAggregateBom
- name: Generate SBOM (Gradle)
run: ./gradlew cyclonedxBom
The generated SBOMs can be found in:
- Maven:
target/application.cdx.json
- Gradle:
build/reports/application.cdx.json