Dependency Inventory
Package managers such as Maven, Gradle etc. has the most accurate view of library dependencies. They can be used to resolve the dependencies, generate an SBOM and scan using vet for better accuracy. In this guide, we will use CycloneDX gradle plugin to generate a software bill of material (SBOM) and scan it using vet.
Gradle Plugin Integrationโ
The gradle plugin for generating CycloneDX SBOM file has to be integrated into
the build script i.e. build.gradle file.
plugins {
id 'org.cyclonedx.bom' version '1.10.0'
}
cyclonedxBom {
includeConfigs = ["runtimeClasspath"]
skipConfigs = ["compileClasspath", "testCompileClasspath"]
skipProjects = [rootProject.name, "yourTestSubProject"]
projectType = "application"
schemaVersion = "1.6"
destination = file("build/reports")
outputName = "bom"
outputFormat = "json"
includeBomSerialNumber = false
includeLicenseText = false
includeMetadataResolution = true
componentVersion = "2.0.0"
componentName = "my-component"
}
Based on requirements, includeConfigs and skipConfigs properties in
cyclonedxBom can be modified to only include runtime, compile-time, or
implementation dependencies in the sbom artifact(s). Additionaly, in
a multi-build project, skipProjects property can be used to exclude
dependency resolution for a sub-project, thus reducing the noise.
SBOM Generationโ
Now, to generate sbom artifacts, do a clean build of the project using its
respective build tool: gradle cleanBuild -b build.gradle :cyclonedxBom
After a successful build, all the artifacts shall be stored in build/reports
path, present in the project root.
Scan SBOMs using Vetโ
vet supports scanning of SBOM files in both SPDX and CycloneDX format. Depending upon the plugin and build tool being used, appropriate parsers can be used to scan the artifacts for a vulnerability report.
vet scan --lockfiles build/reports/bom.json --lockfile-as bom-cyclonedx --report-markdown=report.md
vet scan --lockfiles build/reports/bom.json --lockfile-as bom-spdx --report-markdown=report.md
