Package managers such as Maven, Gradle, npm, and others have the most accurate view of library dependencies. They can be used to resolve dependencies, generate an SBOM, and scan using vet for better accuracy. In this guide, we’ll use the CycloneDX Gradle plugin to generate a Software Bill of Materials (SBOM) and scan it using vet.

Why Use Package Manager Integration?

Accurate Resolution

Package managers resolve exact versions and transitive dependencies

Complete Inventory

Capture all dependencies including build-time and runtime components

Standardized Format

Generate industry-standard SBOM formats (CycloneDX, SPDX)

Better Analysis

More accurate security analysis with complete dependency information

Gradle Integration

The CycloneDX Gradle plugin generates comprehensive SBOMs that can be analyzed by vet for security issues.

Plugin Configuration

Add the CycloneDX plugin to your build.gradle file:

plugins {
    id 'org.cyclonedx.bom' version '1.10.0'
}

cyclonedxBom {
    includeConfigs = ["runtimeClasspath"]
    skipConfigs = ["compileClasspath", "testCompileClasspath"]
    skipProjects = [rootProject.name, "yourTestSubProject"]
    projectType = "application"
    schemaVersion = "1.6"
    destination = file("build/reports")
    outputName = "bom"
    outputFormat = "json"
    includeBomSerialNumber = false
    includeLicenseText = false
    includeMetadataResolution = true
    componentVersion = "2.0.0"
    componentName = "my-component"
}

Configuration Options

SBOM Generation

Generate SBOM artifacts with a clean build:

gradle clean build cyclonedxBom

After a successful build, SBOM artifacts will be stored in the build/reports directory.

Multi-Project Configuration

For multi-module projects, configure the plugin in each module or use a shared configuration:

// In root build.gradle
subprojects {
    apply plugin: 'org.cyclonedx.bom'
    
    cyclonedxBom {
        includeConfigs = ["runtimeClasspath"]
        projectType = "library"
        destination = file("${rootProject.buildDir}/reports/sboms")
        outputName = "${project.name}-bom"
    }
}

Maven Integration

For Maven projects, use the CycloneDX Maven plugin:

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.8.0</version>
    <configuration>
        <projectType>application</projectType>
        <schemaVersion>1.6</schemaVersion>
        <includeBomSerialNumber>false</includeBomSerialNumber>
        <includeMetadataResolution>true</includeMetadataResolution>
        <outputName>bom</outputName>
        <outputFormat>json</outputFormat>
    </configuration>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Generate the SBOM:

mvn clean package cyclonedx:makeAggregateBom

Scanning SBOMs with vet

Once you have generated SBOM files, use vet to scan them for security issues:

CycloneDX Format

vet scan --lockfiles build/reports/bom.json \
         --lockfile-as bom-cyclonedx \
         --report-markdown=report.md

SPDX Format

vet scan --lockfiles build/reports/bom.json \
         --lockfile-as bom-spdx \
         --report-markdown=report.md

npm/Node.js Integration

For Node.js projects, use the CycloneDX npm plugin:

# Install globally
npm install -g @cyclonedx/cyclonedx-npm

# Generate SBOM
cyclonedx-npm --output-file sbom.json

# Scan with vet
vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx

Python Integration

For Python projects, use cyclonedx-python:

# Install
pip install cyclonedx-bom

# Generate SBOM
cyclonedx-py -o sbom.json

# Scan with vet
vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx

CI/CD Integration

name: Dependency Inventory Scan
on: [push, pull_request]

jobs:
  inventory-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up JDK
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
          
      - name: Generate SBOM
        run: ./gradlew cyclonedxBom
        
      - name: Scan SBOM with vet
        uses: safedep/vet-action@v1
        with:
          scan-dir: 'build/reports'
          lockfile-as: 'bom-cyclonedx'
          
      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: build/reports/bom.json

Best Practices

Troubleshooting