Skip to content
/ cyclonedx-gradle-plugin Public
forked from CycloneDX/cyclonedx-gradle-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects

cyclonedx.org/

License

Apache-2.0 license
0 stars 76 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

glefloch/cyclonedx-gradle-plugin

BranchesTags
 
 

Repository files navigation

Build Status Maven Central License Website Slack Invite Group Discussion Twitter

CycloneDX Gradle Plugin

The CycloneDX Maven plugin creates an aggregate of all direct and transitive dependencies of a project and creates a valid CycloneDX SBOM. CycloneDX is a lightweight software bill of materials (SBOM) specification designed for use in application security contexts and supply chain component analysis.

Usage

Execution:

gradle cyclonedxBom

Output CycloneDX Generation Info:

gradle cyclonedxBom -info

Exclude BOM Serial Number:

gradle cyclonedxBom -Pcyclonedx.includeBomSerialNumber=false

build.gradle (excerpt)

plugins {
    id 'org.cyclonedx.bom'
}

apply plugin: 'java'
apply plugin: 'maven'

repositories {
    mavenCentral()
}

settings.gradle (excerpt)

pluginManagement {
    resolutionStrategy {
        eachPlugin {
            if (requested.id.toString() == 'org.cyclonedx.bom') {
                useModule('org.cyclonedx:cyclonedx-gradle-plugin:1.4.1')
            }
        }
    }
    repositories {
        mavenCentral()
    }
}

Once a BOM is generated, it will reside at ./build/reports/bom.xml and ./build/reports/bom.json

Configuration: You can control the configurations included in the BOM:

cyclonedxBom {
    // includeConfigs is the list of configuration names to include when generating the BOM (leave empty to include every configuration)
    includeConfigs += ["runtimeClasspath"]
    // skipConfigs is a list of configuration names to exclude when generating the BOM
    skipConfigs += ["compileClasspath", "testCompileClasspath"]
    // Specified the type of project being built. Defaults to 'library' 
    projectType = "application"
    // Specified the version of the CycloneDX specification to use. Defaults to 1.2.
    schemaVersion = "1.2"
}

Run gradle with info logging (-i option) to see which configurations add to the BOM.

CycloneDX Schema Support

The following table provides information on the version of this node module, the CycloneDX schema version supported, as well as the output format options. Use the latest possible version of this node module that is the compatible with the CycloneDX version supported by the target system.

Version Schema Version Format(s)
1.4.x CycloneDX v1.3 XML/JSON
1.2.x CycloneDX v1.2 XML/JSON
1.1.x CycloneDX v1.1 XML
1.0x CycloneDX v1.0 XML

Copyright & License

CycloneDX Gradle Plugin is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

About

Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects

cyclonedx.org/

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

10 tags

Packages

No packages published

Languages

  • Java 98.8%
  • Shell 1.2%