Package managers such as Maven, Gradle, npm, and others have the most accurate view of library dependencies. They can be used to resolve dependencies, generate an SBOM, and scan using vet for better accuracy. In this guide, we’ll use the CycloneDX Gradle plugin to generate a Software Bill of Materials (SBOM) and scan it using vet.
Why Use Package Manager Integration?
Accurate Resolution Package managers resolve exact versions and transitive dependencies
Complete Inventory Capture all dependencies including build-time and runtime components
Standardized Format Generate industry-standard SBOM formats (CycloneDX, SPDX)
Better Analysis More accurate security analysis with complete dependency information
Gradle Integration The CycloneDX Gradle plugin generates comprehensive SBOMs that can be analyzed by vet for security issues.
Plugin Configuration Add the CycloneDX plugin to your build.gradle file:
plugins { id 'org.cyclonedx.bom' version '1.10.0' } cyclonedxBom { includeConfigs = [ "runtimeClasspath" ] skipConfigs = [ "compileClasspath" , "testCompileClasspath" ] skipProjects = [rootProject . name, "yourTestSubProject" ] projectType = "application" schemaVersion = "1.6" destination = file( "build/reports" ) outputName = "bom" outputFormat = "json" includeBomSerialNumber = false includeLicenseText = false includeMetadataResolution = true componentVersion = "2.0.0" componentName = "my-component" } Configuration Options SBOM Generation Generate SBOM artifacts with a clean build:
gradle clean build cyclonedxBom After a successful build, SBOM artifacts will be stored in the build/reports directory.
Multi-Project Configuration For multi-module projects, configure the plugin in each module or use a shared configuration:
// In root build.gradle subprojects { apply plugin : 'org.cyclonedx.bom' cyclonedxBom { includeConfigs = [ "runtimeClasspath" ] projectType = "library" destination = file( " ${ rootProject.buildDir } /reports/sboms" ) outputName = " ${ project.name } -bom" } } Maven Integration For Maven projects, use the CycloneDX Maven plugin:
< plugin > < groupId > org.cyclonedx </ groupId > < artifactId > cyclonedx-maven-plugin </ artifactId > < version > 2.8.0 </ version > < configuration > < projectType > application </ projectType > < schemaVersion > 1.6 </ schemaVersion > < includeBomSerialNumber > false </ includeBomSerialNumber > < includeMetadataResolution > true </ includeMetadataResolution > < outputName > bom </ outputName > < outputFormat > json </ outputFormat > </ configuration > < executions > < execution > < phase > package </ phase > < goals > < goal > makeAggregateBom </ goal > </ goals > </ execution > </ executions > </ plugin > Generate the SBOM:
mvn clean package cyclonedx:makeAggregateBom Scanning SBOMs with vet Once you have generated SBOM files, use vet to scan them for security issues:
vet scan --lockfiles build/reports/bom.json \ --lockfile-as bom-cyclonedx \ --report-markdown=report.md vet scan --lockfiles build/reports/bom.json \ --lockfile-as bom-spdx \ --report-markdown=report.md npm/Node.js Integration For Node.js projects, use the CycloneDX npm plugin:
# Install globally npm install -g @cyclonedx/cyclonedx-npm # Generate SBOM cyclonedx-npm --output-file sbom.json # Scan with vet vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx Python Integration For Python projects, use cyclonedx-python:
# Install pip install cyclonedx-bom # Generate SBOM cyclonedx-py -o sbom.json # Scan with vet vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx CI/CD Integration name : Dependency Inventory Scan on : [ push , pull_request ] jobs : inventory-scan : runs-on : ubuntu-latest steps : - uses : actions/checkout@v4 - name : Set up JDK uses : actions/setup-java@v4 with : java-version : '17' distribution : 'temurin' - name : Generate SBOM run : ./gradlew cyclonedxBom - name : Scan SBOM with vet uses : safedep/vet-action@v1 with : scan-dir : 'build/reports' lockfile-as : 'bom-cyclonedx' - name : Upload SBOM uses : actions/upload-artifact@v4 with : name : sbom path : build/reports/bom.json name : Dependency Inventory Scan on : [ push , pull_request ] jobs : inventory-scan : runs-on : ubuntu-latest steps : - uses : actions/checkout@v4 - name : Set up JDK uses : actions/setup-java@v4 with : java-version : '17' distribution : 'temurin' - name : Generate SBOM run : ./gradlew cyclonedxBom - name : Scan SBOM with vet uses : safedep/vet-action@v1 with : scan-dir : 'build/reports' lockfile-as : 'bom-cyclonedx' - name : Upload SBOM uses : actions/upload-artifact@v4 with : name : sbom path : build/reports/bom.json stages : - build - security generate-sbom : stage : build script : - ./gradlew clean build cyclonedxBom artifacts : paths : - build/reports/bom.json expire_in : 1 hour security-scan : stage : security image : ghcr.io/safedep/vet:latest script : - vet scan --lockfiles build/reports/bom.json --lockfile-as bom-cyclonedx --report-json security-report.json dependencies : - generate-sbom artifacts : reports : security : security-report.json Best Practices Troubleshooting 