Skip to main content
Package managers such as Maven, Gradle, npm, and others have the most accurate view of library dependencies. They can be used to resolve dependencies, generate an SBOM, and scan using vet for better accuracy. In this guide, we’ll use the CycloneDX Gradle plugin to generate a Software Bill of Materials (SBOM) and scan it using vet.

​
Why Use Package Manager Integration?

Accurate Resolution

Package managers resolve exact versions and transitive dependencies

Complete Inventory

Capture all dependencies including build-time and runtime components

Standardized Format

Generate industry-standard SBOM formats (CycloneDX, SPDX)

Better Analysis

More accurate security analysis with complete dependency information

​
Gradle Integration

The CycloneDX Gradle plugin generates comprehensive SBOMs that can be analyzed by vet for security issues.

​
Plugin Configuration

Add the CycloneDX plugin to your build.gradle file: 
plugins {
    id 'org.cyclonedx.bom' version '1.10.0'
}

cyclonedxBom {
    includeConfigs = ["runtimeClasspath"]
    skipConfigs = ["compileClasspath", "testCompileClasspath"]
    skipProjects = [rootProject.name, "yourTestSubProject"]
    projectType = "application"
    schemaVersion = "1.6"
    destination = file("build/reports")
    outputName = "bom"
    outputFormat = "json"
    includeBomSerialNumber = false
    includeLicenseText = false
    includeMetadataResolution = true
    componentVersion = "2.0.0"
    componentName = "my-component"
}

​
Configuration Options

includeConfigs: Which dependency configurations to include
includeConfigs = [
    "runtimeClasspath",      // Runtime dependencies
    "implementationClasspath", // Implementation dependencies
    "compileClasspath"       // Compile-time dependencies
]
skipConfigs and skipProjects: Exclude unnecessary components
skipConfigs = ["testCompileClasspath", "testRuntimeClasspath"]
skipProjects = ["test-utils", "benchmarks"]
destination and outputName: Control where SBOMs are generated
destination = file("security/sboms")
outputName = "${project.name}-${project.version}-sbom"
outputFormat = "json" // or "xml"

​
SBOM Generation

Generate SBOM artifacts with a clean build: 
gradle clean build cyclonedxBom
Sample Gradle build output After a successful build, SBOM artifacts will be stored in the build/reports directory.

​
Multi-Project Configuration

For multi-module projects, configure the plugin in each module or use a shared configuration: 
// In root build.gradle
subprojects {
    apply plugin: 'org.cyclonedx.bom'
    
    cyclonedxBom {
        includeConfigs = ["runtimeClasspath"]
        projectType = "library"
        destination = file("${rootProject.buildDir}/reports/sboms")
        outputName = "${project.name}-bom"
    }
}

​
Maven Integration

For Maven projects, use the CycloneDX Maven plugin: 
<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.8.0</version>
    <configuration>
        <projectType>application</projectType>
        <schemaVersion>1.6</schemaVersion>
        <includeBomSerialNumber>false</includeBomSerialNumber>
        <includeMetadataResolution>true</includeMetadataResolution>
        <outputName>bom</outputName>
        <outputFormat>json</outputFormat>
    </configuration>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
</plugin>
Generate the SBOM: 
mvn clean package cyclonedx:makeAggregateBom

​
Scanning SBOMs with vet

Once you have generated SBOM files, use vet to scan them for security issues:

​
CycloneDX Format

vet scan --lockfiles build/reports/bom.json \
         --lockfile-as bom-cyclonedx \
         --report-markdown=report.md

​
SPDX Format

vet scan --lockfiles build/reports/bom.json \
         --lockfile-as bom-spdx \
         --report-markdown=report.md
vet CycloneDX scan demonstration

​
npm/Node.js Integration

For Node.js projects, use the CycloneDX npm plugin: 
# Install globally
npm install -g @cyclonedx/cyclonedx-npm

# Generate SBOM
cyclonedx-npm --output-file sbom.json

# Scan with vet
vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx

​
Python Integration

For Python projects, use cyclonedx-python: 
# Install
pip install cyclonedx-bom

# Generate SBOM
cyclonedx-py -o sbom.json

# Scan with vet
vet scan --lockfiles sbom.json --lockfile-as bom-cyclonedx

​
CI/CD Integration

  • GitHub Actions
  • GitLab CI
name: Dependency Inventory Scan
on: [push, pull_request]

jobs:
  inventory-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up JDK
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
          
      - name: Generate SBOM
        run: ./gradlew cyclonedxBom
        
      - name: Scan SBOM with vet
        uses: safedep/vet-action@v1
        with:
          scan-dir: 'build/reports'
          lockfile-as: 'bom-cyclonedx'
          
      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: build/reports/bom.json

​
Best Practices

Generate different SBOMs for different environments:
# Production SBOM (runtime only)
gradle cyclonedxBom -PincludeConfigs=runtimeClasspath

# Development SBOM (including test dependencies)
gradle cyclonedxBom -PincludeConfigs=runtimeClasspath,testRuntimeClasspath
Generate SBOMs regularly to track dependency changes:
  • On every build in CI/CD
  • Before releases
  • After dependency updates
Store SBOMs alongside releases for compliance and audit purposes:
# Tag SBOMs with version information
cp build/reports/bom.json "release-artifacts/sbom-v${VERSION}.json"

​
Troubleshooting

If dependencies are missing from the SBOM:
  • Check that all relevant configurations are included
  • Verify dependency resolution succeeded
  • Review skipConfigs and skipProjects settings
For plugin compatibility issues:
  • Use the latest stable version of CycloneDX plugins
  • Check compatibility with your build tool version
  • Review plugin documentation for breaking changes
For projects with many dependencies:
  • Filter out unnecessary configurations
  • Consider splitting large projects into modules
  • Use compression for storage and transmission

CycloneDX Gradle Plugin

Complete documentation for the Gradle plugin

CycloneDX Maven Plugin

Maven plugin documentation and examples

SBOM Generation Guide

Learn more about generating SBOMs with vet

Package Manager Support

See all supported package managers in vet
⌘I