Package managers such as Maven, Gradle, npm, and others have the most accurate view of library dependencies. They can be used to resolve dependencies, generate an SBOM, and scan using vet
for better accuracy. In this guide, we’ll use the CycloneDX Gradle plugin to generate a Software Bill of Materials (SBOM) and scan it using vet
.
Why Use Package Manager Integration?
Accurate Resolution Package managers resolve exact versions and transitive dependencies
Complete Inventory Capture all dependencies including build-time and runtime components
Standardized Format Generate industry-standard SBOM formats (CycloneDX, SPDX)
Better Analysis More accurate security analysis with complete dependency information
Gradle Integration
The CycloneDX Gradle plugin generates comprehensive SBOMs that can be analyzed by vet for security issues.
Plugin Configuration
Add the CycloneDX plugin to your build.gradle
file:
plugins {
id 'org.cyclonedx.bom' version '1.10.0'
}
cyclonedxBom {
includeConfigs = [ "runtimeClasspath" ]
skipConfigs = [ "compileClasspath" , "testCompileClasspath" ]
skipProjects = [rootProject . name, "yourTestSubProject" ]
projectType = "application"
schemaVersion = "1.6"
destination = file( "build/reports" )
outputName = "bom"
outputFormat = "json"
includeBomSerialNumber = false
includeLicenseText = false
includeMetadataResolution = true
componentVersion = "2.0.0"
componentName = "my-component"
}
Configuration Options
SBOM Generation
Generate SBOM artifacts with a clean build:
gradle clean build cyclonedxBom
After a successful build, SBOM artifacts will be stored in the build/reports
directory.
Multi-Project Configuration
For multi-module projects, configure the plugin in each module or use a shared configuration:
// In root build.gradle
subprojects {
apply plugin : 'org.cyclonedx.bom'
cyclonedxBom {
includeConfigs = [ "runtimeClasspath" ]
projectType = "library"
destination = file( " ${ rootProject.buildDir } /reports/sboms" )
outputName = " ${ project.name } -bom"
}
}
Maven Integration
For Maven projects, use the CycloneDX Maven plugin:
< plugin >
< groupId > org.cyclonedx </ groupId >
< artifactId > cyclonedx-maven-plugin </ artifactId >
< version > 2.8.0 </ version >
< configuration >
< projectType > application </ projectType >
< schemaVersion > 1.6 </ schemaVersion >
< includeBomSerialNumber > false </ includeBomSerialNumber >
< includeMetadataResolution > true </ includeMetadataResolution >
< outputName > bom </ outputName >
< outputFormat > json </ outputFormat >
</ configuration >
< executions >
< execution >
< phase > package </ phase >
< goals >
< goal > makeAggregateBom </ goal >
</ goals >
</ execution >
</ executions >
</ plugin >
Generate the SBOM:
mvn clean package cyclonedx:makeAggregateBom
Scanning SBOMs with vet
Once you have generated SBOM files, use vet to scan them for security issues:
vet scan --lockfiles build/reports/bom.json \
--lockfile-as bom-cyclonedx \
--report-markdown=report.md
vet scan --lockfiles build/reports/bom.json \
--lockfile-as bom-spdx \
--report-markdown=report.md
npm/Node.js Integration
For Node.js projects, use the CycloneDX npm plugin:
# Install globally
npm install -g @cyclonedx/cyclonedx-npm
# Generate SBOM
cyclonedx-npm --output-file sbom.json
# Scan with vet
vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx
Python Integration
For Python projects, use cyclonedx-python:
# Install
pip install cyclonedx-bom
# Generate SBOM
cyclonedx-py -o sbom.json
# Scan with vet
vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx
CI/CD Integration
name : Dependency Inventory Scan
on : [ push , pull_request ]
jobs :
inventory-scan :
runs-on : ubuntu-latest
steps :
- uses : actions/checkout@v4
- name : Set up JDK
uses : actions/setup-java@v4
with :
java-version : '17'
distribution : 'temurin'
- name : Generate SBOM
run : ./gradlew cyclonedxBom
- name : Scan SBOM with vet
uses : safedep/vet-action@v1
with :
scan-dir : 'build/reports'
lockfile-as : 'bom-cyclonedx'
- name : Upload SBOM
uses : actions/upload-artifact@v4
with :
name : sbom
path : build/reports/bom.json
name : Dependency Inventory Scan
on : [ push , pull_request ]
jobs :
inventory-scan :
runs-on : ubuntu-latest
steps :
- uses : actions/checkout@v4
- name : Set up JDK
uses : actions/setup-java@v4
with :
java-version : '17'
distribution : 'temurin'
- name : Generate SBOM
run : ./gradlew cyclonedxBom
- name : Scan SBOM with vet
uses : safedep/vet-action@v1
with :
scan-dir : 'build/reports'
lockfile-as : 'bom-cyclonedx'
- name : Upload SBOM
uses : actions/upload-artifact@v4
with :
name : sbom
path : build/reports/bom.json
stages :
- build
- security
generate-sbom :
stage : build
script :
- ./gradlew clean build cyclonedxBom
artifacts :
paths :
- build/reports/bom.json
expire_in : 1 hour
security-scan :
stage : security
image : ghcr.io/safedep/vet:latest
script :
- vet scan --lockfiles build/reports/bom.json
--lockfile-as bom-cyclonedx
--report-json security-report.json
dependencies :
- generate-sbom
artifacts :
reports :
security : security-report.json
Best Practices
Troubleshooting