SBOMgen

Creation of SBOM in Maven Project Via The CycloneDX-Maven-Plugin

Introduction

This document illustrates the generation of an SBOM from a maven project utilizing the cyclonedx-maven-plugin.

Requirements

• Maven

• Maven compatible project

Installation

Open the pom.xml file of your maven project and add the following to the plugins section:

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.9.1</version>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <projectType>application</projectType>
        <schemaVersion>1.6</schemaVersion>
        <includeBomSerialNumber>true</includeBomSerialNumber>
        <includeCompileScope>true</includeCompileScope>
        <includeProvidedScope>true</includeProvidedScope>
        <includeRuntimeScope>true</includeRuntimeScope>
        <includeSystemScope>true</includeSystemScope>
        <includeTestScope>false</includeTestScope>
        <includeLicenseText>false</includeLicenseText>
        <outputFormat>all</outputFormat>
        <outputName>(output-sbom-name-here)</outputName>
    </configuration>
</plugin>

Usage

Build and create the SBOM with the command:

mvn clean install

The resultant SBOM in both JSON and XML format should be found in the target/ directory.

Notes

Troubleshooting

Environment:

• SBOMs were generated on three computers, running Java versions 11.0.20.1 and 11.0.25, with Maven versions 3.9.3, 3.6.3 and 3.9.9 on Ubuntu 20.04, 22.04 and 24.04 respectively.

Build Failure:

• Delete directory “.m2” found in home directory with command:

rm -rf path/to/.m2

(Ubuntu).

• Ensure the correct parameters for the cyclonedx-maven-plugin are set, schema: 1.6, version: 2.9.1.

• Ensure that the maven version installed is the one found in your operating systems package manager, or is the most stable release for your system.

• Prior to running:

    mvn clean install
  

  run

    mvn clean -Dmaven.clean.failOnError=false
  

Example SBOM

The following section illustrates a CycloneDX JSON and XML SBOMs of the project OneDev codebase, created by the CycloneDX Maven Plugin.

onedev (json)

onedev (xml)

References

• CycloneDX. (n.d.-a). GitHub - CycloneDX/cyclonedx-maven-plugin: Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects. GitHub. https://github.com/CycloneDX/cyclonedx-maven-plugin

• Theonedev. (n.d.). GitHub - theonedev/onedev: Git Server with CI/CD, Kanban, and Packages. Seamless integration. Unparalleled experience. GitHub. https://github.com/theonedev/onedev

This site is open source. Improve this page.