Generate accurate dependency inventories using package managers and SBOM tools
Package managers such as Maven, Gradle, npm, and others have the most accurate view of library dependencies. They can be used to resolve dependencies, generate an SBOM, and scan using vet
for better accuracy. In this guide, we’ll use the CycloneDX Gradle plugin to generate a Software Bill of Materials (SBOM) and scan it using vet
.
Package managers resolve exact versions and transitive dependencies
Capture all dependencies including build-time and runtime components
Generate industry-standard SBOM formats (CycloneDX, SPDX)
More accurate security analysis with complete dependency information
The CycloneDX Gradle plugin generates comprehensive SBOMs that can be analyzed by vet for security issues.
Add the CycloneDX plugin to your build.gradle
file:
Dependency Scopes
includeConfigs: Which dependency configurations to include
Project Filtering
skipConfigs and skipProjects: Exclude unnecessary components
Output Customization
destination and outputName: Control where SBOMs are generated
Generate SBOM artifacts with a clean build:
After a successful build, SBOM artifacts will be stored in the build/reports
directory.
For multi-module projects, configure the plugin in each module or use a shared configuration:
For Maven projects, use the CycloneDX Maven plugin:
Generate the SBOM:
Once you have generated SBOM files, use vet to scan them for security issues:
For Node.js projects, use the CycloneDX npm plugin:
For Python projects, use cyclonedx-python:
Environment-Specific SBOMs
Generate different SBOMs for different environments:
Regular Updates
Generate SBOMs regularly to track dependency changes:
Storage and Versioning
Store SBOMs alongside releases for compliance and audit purposes:
Missing Dependencies
If dependencies are missing from the SBOM:
Plugin Version Issues
For plugin compatibility issues:
Large SBOM Files
For projects with many dependencies:
Complete documentation for the Gradle plugin
Maven plugin documentation and examples
Learn more about generating SBOMs with vet
See all supported package managers in vet
Generate accurate dependency inventories using package managers and SBOM tools
Package managers such as Maven, Gradle, npm, and others have the most accurate view of library dependencies. They can be used to resolve dependencies, generate an SBOM, and scan using vet
for better accuracy. In this guide, we’ll use the CycloneDX Gradle plugin to generate a Software Bill of Materials (SBOM) and scan it using vet
.
Package managers resolve exact versions and transitive dependencies
Capture all dependencies including build-time and runtime components
Generate industry-standard SBOM formats (CycloneDX, SPDX)
More accurate security analysis with complete dependency information
The CycloneDX Gradle plugin generates comprehensive SBOMs that can be analyzed by vet for security issues.
Add the CycloneDX plugin to your build.gradle
file:
Dependency Scopes
includeConfigs: Which dependency configurations to include
Project Filtering
skipConfigs and skipProjects: Exclude unnecessary components
Output Customization
destination and outputName: Control where SBOMs are generated
Generate SBOM artifacts with a clean build:
After a successful build, SBOM artifacts will be stored in the build/reports
directory.
For multi-module projects, configure the plugin in each module or use a shared configuration:
For Maven projects, use the CycloneDX Maven plugin:
Generate the SBOM:
Once you have generated SBOM files, use vet to scan them for security issues:
For Node.js projects, use the CycloneDX npm plugin:
For Python projects, use cyclonedx-python:
Environment-Specific SBOMs
Generate different SBOMs for different environments:
Regular Updates
Generate SBOMs regularly to track dependency changes:
Storage and Versioning
Store SBOMs alongside releases for compliance and audit purposes:
Missing Dependencies
If dependencies are missing from the SBOM:
Plugin Version Issues
For plugin compatibility issues:
Large SBOM Files
For projects with many dependencies:
Complete documentation for the Gradle plugin
Maven plugin documentation and examples
Learn more about generating SBOMs with vet
See all supported package managers in vet