/cyclonedx-gradle-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects

Primary LanguageJavaApache License 2.0Apache-2.0

Build Status Gradle Plugin License Website Slack Invite Group Discussion Twitter

CycloneDX Gradle Plugin

The CycloneDX Gradle plugin creates an aggregate of all direct and transitive dependencies of a project and creates a valid CycloneDX SBOM. CycloneDX is a lightweight software bill of materials (SBOM) specification designed for use in application security contexts and supply chain component analysis.

Usage

Execution:

gradle cyclonedxBom

Output CycloneDX Generation Info:

gradle cyclonedxBom -info

build.gradle (excerpt)

To generate BOM for a single project add the plugin to the build.gradle.

plugins {
    id 'org.cyclonedx.bom' version '1.7.3'
}

Once a BOM is generated, by default it will reside at ./build/reports/bom.xml and ./build/reports/bom.json

Configuration:

You can add the following configuration to build.gradle to control various options in generating a BOM:

cyclonedxBom {
    // includeConfigs is the list of configuration names to include when generating the BOM (leave empty to include every configuration)
    includeConfigs = ["runtimeClasspath"]
    // skipConfigs is a list of configuration names to exclude when generating the BOM
    skipConfigs = ["compileClasspath", "testCompileClasspath"]
    // skipProjects is a list of project names to exclude when generating the BOM
    skipProjects = [rootProject.name, "yourTestSubProject"]
    // Specified the type of project being built. Defaults to 'library'
    projectType = "application"
    // Specified the version of the CycloneDX specification to use. Defaults to 1.4.
    schemaVersion = "1.4"
    // Boms destination directory (defaults to build/reports)
    destination = file("build/reports")
    // The file name for the generated BOMs (before the file format suffix). Defaults to 'bom'
    outputName = "bom"
    // The file format generated, can be xml, json or all for generating both
    outputFormat = "json"
    // Exclude BOM Serial Number
    includeBomSerialNumber = false
    // Override component version
    componentVersion = "2.0.0"
}

If you are using the Kotlin DSL, the plugin can be configured as following:

tasks.cyclonedxBom {
    setIncludeConfigs(listOf("runtimeClasspath"))
    setSkipConfigs(listOf("compileClasspath", "testCompileClasspath"))
    setSkipProjects(listOf(rootProject.name, "yourTestSubProject"))
    setProjectType("application")
    setSchemaVersion("1.4")
    setDestination(project.file("build/reports"))
    setOutputName("bom")
    setOutputFormat("json")
    setIncludeBomSerialNumber(false)
    setComponentVersion("2.0.0")
}

Run gradle with info logging (-i option) to see which configurations add to the BOM.

Generate BOM for multiple projects:

You can also build the BOM for multiple projects using the --init-script option:

gradle --init-script <path-to-init.gradle> cyclonedxBom -info

where the init.gradle can look like this:

initscript {
  repositories {
    maven {
      url "https://plugins.gradle.org/m2/"
    }
  }
  dependencies {
    classpath "org.cyclonedx:cyclonedx-gradle-plugin:1.7.3"
  }
}

allprojects{
  apply plugin:org.cyclonedx.gradle.CycloneDxPlugin
  cyclonedxBom {
    includeConfigs = ["runtimeClasspath"]
    skipConfigs = ["compileClasspath", "testCompileClasspath"]
    skipProjects = [rootProject.name, "yourTestSubProject"]
    projectType = "application"
    schemaVersion = "1.4"
    destination = file("build/reports")
    outputName = "bom"
    outputFormat = "json"
    includeBomSerialNumber = false
    componentVersion = "2.0.0"
  }
}

CycloneDX Schema Support

The following table provides information on the version of this gradle plugin, the CycloneDX schema version supported, as well as the output format options. Use the latest possible version of this plugin that is the compatible with the CycloneDX version supported by the target system.

Version Schema Version Format(s)
1.7.x CycloneDX v1.4 XML/JSON
1.6.x CycloneDX v1.4 XML/JSON
1.5.x CycloneDX v1.3 XML/JSON
1.4.x CycloneDX v1.3 XML/JSON
1.2.x CycloneDX v1.2 XML/JSON
1.1.x CycloneDX v1.1 XML
1.0x CycloneDX v1.0 XML

Copyright & License

CycloneDX Gradle Plugin is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.