8000 GitHub - abhi4u1947/sbom-java-apps: CycloneDX SBOM for Java Applications
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

abhi4u1947/sbom-java-apps

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Generating Software Bill of Materials (SBOM) for Java Applications

Table of Contents

Overview

This guide explains how to generate Software Bill of Materials (SBOM) for Java applications using CycloneDX plugins for both Maven and Gradle build systems. An SBOM provides a detailed inventory of all components, libraries, and dependencies used in your software project, which is essential for security and compliance.

Maven-Based Projects

Maven Configuration

Add the CycloneDX Maven plugin to your pom.xml:

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.9.1</version>
    <configuration>
        <projectType>application</projectType>
        <outputFormat>json</outputFormat>
        <outputName>application.cdx</outputName>
        <schemaVersion>1.6</schemaVersion>
    </configuration>
</plugin>

Maven Key Configuration Options

Option Description Default
projectType Specifies the type of project (application or library) application
outputFormat Format of the SBOM (json or xml) json
outputName Name of the output SBOM file application.cdx
schemaVersion CycloneDX schema version 1.6

Maven Generating the SBOM

To generate the SBOM, run:

mvn cyclonedx:makeAggregateBom

The SBOM will be generated in the target directory with the specified output name.

Gradle-Based Projects

Gradle Configuration

Add the CycloneDX Gradle plugin to your build.gradle or build.gradle.kts:

plugins {
    id 'org.cyclonedx.bom' version '2.2.0'
}

tasks.named('cyclonedxBom') {
    schemaVersion = "1.6"
    includeConfigs = ["runtimeClasspath", "compileClasspath"]
    skipProjects = [rootProject.name]
    projectType = "application"
    includeBomSerialNumber = true
    includeLicenseText = false
    destination = file("build/reports")
    outputName = "application.cdx"
    outputFormat = "json"
}

Gradle Key Configuration Options

Option Description Default
schemaVersion CycloneDX schema version 1.6
includeConfigs List of configurations to include ["runtimeClasspath"]
skipProjects Projects to exclude []
projectType Type of project application
includeBomSerialNumber Include unique identifier true
includeLicenseText Include full license text false
destination Output directory build/reports
outputName Output file name application.cdx
outputFormat Output format json

Gradle Generating the SBOM

To generate the SBOM, run:

./gradlew cyclonedxBom

The SBOM will be generated in the specified destination directory (default: build/reports).

Advanced Configuration

Adding Metadata

Both plugins support adding additional metadata to the SBOM:

Maven Metadata Configuration

<configuration>
    <organizationalEntity>
        <name>Your Organization</name>
        <url>https://your-org.com</url>
        <contact>
            <name>Contact Name</name>
            <email>contact@your-org.com</email>
        </contact>
    </organizationalEntity>
</configuration>

Gradle Metadata Configuration

cyclonedxBom {
    organizationalEntity { oe ->
        oe.name = 'Your Organization'
        oe.url = ['https://your-org.com']
        oe.addContact(organizationalContact)
    }
}

Adding License Information

You can specify license information for your project:

Maven License Configuration

<configuration>
    <licenseChoice>
        <license>
            <name>Apache License 2.0</name>
            <url>https://www.apache.org/licenses/LICENSE-2.0</url>
        </license>
    </licenseChoice>
</configuration>

Gradle License Configuration

cyclonedxBom {
    licenseChoice { lc ->
        def license = new License()
        license.setName("Apache License 2.0")
        license.setUrl("https://www.apache.org/licenses/LICENSE-2.0")
        lc.addLicense(license)
    }
}

Version Compatibility

The following table shows the compatibility between plugin versions and CycloneDX schema versions:

Plugin Version Schema Version Supported Formats
2.x.x 1.6 XML, JSON
1.10.x 1.6 XML, JSON
1.9.x 1.6 XML, JSON
1.8.x 1.5 XML, JSON
1.7.x 1.4 XML, JSON

CI/CD Integration

Both plugins can be easily integrated into CI/CD pipelines. For example, in GitHub Actions:

- name: Generate SBOM (Maven)
  run: mvn cyclonedx:makeAggregateBom

- name: Generate SBOM (Gradle)
  run: ./gradlew cyclonedxBom

The generated SBOMs can be found in:

  • Maven: target/application.cdx.json
  • Gradle: build/reports/application.cdx.json

References

About

CycloneDX SBOM for Java Applications

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Languages

0