Skip to main content
Package managers such as Maven, Gradle, and npm have the most accurate view of library dependencies. They resolve exact versions and can generate an SBOM for vet to scan with higher fidelity. This guide uses the CycloneDX Gradle plugin to generate an SBOM and scan it with vet.

Gradle Integration

The CycloneDX Gradle plugin generates SBOMs that vet can analyze for security issues.

Plugin Configuration

Add the CycloneDX plugin to your build.gradle file: 
plugins {
    id 'org.cyclonedx.bom' version '1.10.0'
}

cyclonedxBom {
    includeConfigs = ["runtimeClasspath"]
    skipConfigs = ["compileClasspath", "testCompileClasspath"]
    skipProjects = [rootProject.name, "yourTestSubProject"]
    projectType = "application"
    schemaVersion = "1.6"
    destination = file("build/reports")
    outputName = "bom"
    outputFormat = "json"
    includeBomSerialNumber = false
    includeLicenseText = false
    includeMetadataResolution = true
    componentVersion = "2.0.0"
    componentName = "my-component"
}

Configuration Options

includeConfigs: Which dependency configurations to include
includeConfigs = [
    "runtimeClasspath",      // Runtime dependencies
    "implementationClasspath", // Implementation dependencies
    "compileClasspath"       // Compile-time dependencies
]
skipConfigs and skipProjects: Exclude unnecessary components
skipConfigs = ["testCompileClasspath", "testRuntimeClasspath"]
skipProjects = ["test-utils", "benchmarks"]
destination and outputName: Control where SBOMs are generated
destination = file("security/sboms")
outputName = "${project.name}-${project.version}-sbom"
outputFormat = "json" // or "xml"

SBOM Generation

Generate SBOM artifacts with a clean build: 
gradle clean build cyclonedxBom
Sample Gradle build output After a successful build, SBOM artifacts are stored in the build/reports directory.

Multi-Project Configuration

For multi-module projects, configure the plugin in each module or use a shared configuration in the root build.gradle: 
subprojects {
    apply plugin: 'org.cyclonedx.bom'
    
    cyclonedxBom {
        includeConfigs = ["runtimeClasspath"]
        projectType = "library"
        destination = file("${rootProject.buildDir}/reports/sboms")
        outputName = "${project.name}-bom"
    }
}

Maven Integration

For Maven projects, use the CycloneDX Maven plugin: 
<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.8.0</version>
    <configuration>
        <projectType>application</projectType>
        <schemaVersion>1.6</schemaVersion>
        <includeBomSerialNumber>false</includeBomSerialNumber>
        <includeMetadataResolution>true</includeMetadataResolution>
        <outputName>bom</outputName>
        <outputFormat>json</outputFormat>
    </configuration>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
</plugin>
Generate the SBOM: 
mvn clean package cyclonedx:makeAggregateBom

Scanning SBOMs with Vet

Once you have generated SBOM files, scan them with vet:

CycloneDX Format

vet scan --lockfiles build/reports/bom.json \
         --lockfile-as bom-cyclonedx \
         --report-markdown=report.md
vet CycloneDX scan demonstration

npm/Node.js Integration

For Node.js projects, use the CycloneDX npm plugin: 
# Install globally
npm install -g @cyclonedx/cyclonedx-npm

# Generate SBOM
cyclonedx-npm --output-file sbom.json

# Scan with vet
vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx

Python Integration

For Python projects, use cyclonedx-python: 
# Install
pip install cyclonedx-bom

# Generate SBOM (subcommand depends on project type: environment, requirements, poetry, pipenv)
cyclonedx-py environment -o sbom.json

# Scan with vet
vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx

CI/CD Integration

name: Dependency Inventory Scan
on: [push, pull_request]

jobs:
  inventory-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up JDK
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
          
      - name: Generate SBOM
        run: ./gradlew cyclonedxBom
        
      - name: Scan SBOM with vet
        run: |
          docker run --rm -v "$PWD:/app" ghcr.io/safedep/vet:latest \
            scan --lockfiles /app/build/reports/bom.json \
            --lockfile-as bom-cyclonedx

      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: build/reports/bom.json

Configuration Notes

Control which dependencies appear in the SBOM by setting includeConfigs and skipConfigs in your build.gradle (shown above). For example, list only runtimeClasspath for a production SBOM, or add testRuntimeClasspath to include test dependencies.
Store SBOMs alongside releases for compliance and audit:
# Tag SBOMs with version information
cp build/reports/bom.json "release-artifacts/sbom-v${VERSION}.json"

CycloneDX Gradle Plugin

Complete documentation for the Gradle plugin

CycloneDX Maven Plugin

Maven plugin documentation and examples

SBOM Generation Guide

Learn more about generating SBOMs with Vet

Package Manager Support

See all supported package managers in Vet