• Stars
    star
    209
  • Rank 188,325 (Top 4 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

Build Status Maven Central License Website Slack Invite Group Discussion Twitter

CycloneDX Maven Plugin

The CycloneDX Maven plugin generates CycloneDX Software Bill of Materials (SBOM) containing the aggregate of all direct and transitive dependencies of a project. CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

Maven Usage

<!-- uses default configuration -->
<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <executions>
            <execution>
                <phase>package</phase>
                <goals>
                    <goal>makeAggregateBom</goal>
                </goals>
            </execution>
        </executions>
    </plugin>
</plugins>

Default Values

<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <configuration>
            <projectType>library</projectType>
            <schemaVersion>1.4</schemaVersion>
            <includeBomSerialNumber>true</includeBomSerialNumber>
            <includeCompileScope>true</includeCompileScope>
            <includeProvidedScope>true</includeProvidedScope>
            <includeRuntimeScope>true</includeRuntimeScope>
            <includeSystemScope>true</includeSystemScope>
            <includeTestScope>false</includeTestScope>
            <includeLicenseText>false</includeLicenseText>
            <outputReactorProjects>true</outputReactorProjects>
            <outputFormat>all</outputFormat>
            <outputName>bom</outputName>
            <outputDirectory>${project.build.directory}</outputDirectory><!-- usually target, if not redefined in pom.xml -->
            <verbose>false</verbose><!-- = ${cyclonedx.verbose} -->
        </configuration>
    </plugin>
</plugins>

Excluding Projects

With makeAggregateBom goal, it is possible to exclude certain Maven reactor projects (aka modules) from getting included in the aggregate BOM:

  • Pass -DexcludeTestProject to exclude any Maven module with artifactId containing the word "test"
  • Pass -DexcludeArtifactId=comma separated id to exclude based on artifactId
  • Pass -DexcludeGroupId=comma separated id to exclude based on groupId

Goals

The CycloneDX Maven plugin contains the following three goals:

  • makeBom: creates a BOM for each Maven module with its dependencies,
  • makeAggregateBom: creates an aggregate BOM at build root (with dependencies from the whole multi-modules build), and eventually a BOM for each module,
  • makePackageBom: creates a BOM for each Maven module with war or ear packaging.

By default, the BOM(s) will be attached as an additional artifacts with cyclonedx classifier and xml or json extension during a Maven install or deploy:

  • ${project.artifactId}-${project.version}-cyclonedx.xml
  • ${project.artifactId}-${project.version}-cyclonedx.json

This may be switched off by setting cyclonedx.skipAttach to true.

Every goal can optionally be skipped completely by setting cyclonedx.skip to true.

CycloneDX Schema Support

The following table provides information on the version of this Maven plugin, the CycloneDX schema version supported, as well as the output format options. Use the latest possible version of this plugin that is compatible with the CycloneDX version supported by the target system.

Version Schema Version Format(s)
2.6.x CycloneDX v1.4 XML/JSON
2.5.x CycloneDX v1.3 XML/JSON
2.0.x CycloneDX v1.2 XML/JSON
1.4.x CycloneDX v1.1 XML
1.0x CycloneDX v1.0 XML

Maven Plugin Documentation

The Maven plugin documentation can be viewed online at https://cyclonedx.github.io/cyclonedx-maven-plugin/.

Copyright & License

CycloneDX Maven Plugin is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

More Repositories

1

cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Discord: https://discord.gg/DP657ACYEZ
JavaScript
565
star
2

specification

CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, OBOM, VDR, and VEX
XSLT
252
star
3

cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
C#
245
star
4

cyclonedx-python

CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments
Python
234
star
5

cyclonedx-dotnet

Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
C#
119
star
6

cyclonedx-node-module

creates CycloneDX Software Bill of Materials (SBOM) from node-based projects
108
star
7

bom-examples

A repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)
105
star
8

cyclonedx-gradle-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects
Java
92
star
9

cyclonedx-rust-cargo

Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects
Rust
90
star
10

cyclonedx-gomod

Creates CycloneDX Software Bill of Materials (SBOM) from Go modules
Go
90
star
11

cyclonedx-core-java

CycloneDX SBOM Model and Utils for Creating and Validating BOMs
Java
76
star
12

cyclonedx-node-npm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.
TypeScript
69
star
13

cyclonedx-bom-repo-server

A BOM repository server for distributing CycloneDX BOMs
C#
68
star
14

cyclonedx-python-lib

Python implementation of OWASP CycloneDX
Python
65
star
15

cyclonedx-php-composer

Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
PHP
48
star
16

transparency-exchange-api

A standard API specification for exchanging supply chain artifacts and intelligence
43
star
17

cyclonedx-go

Go library to consume and produce CycloneDX Software Bill of Materials (SBOM)
Go
42
star
18

cyclonedx-linux-generator

Lockheed Martin developed utility to generate CycloneDX SBOMs for Linux distributions
Java
32
star
19

sbom-utility

Utility that provides an API platform for validating, querying and managing BOM data
Go
30
star
20

cyclonedx-conan

Creates CycloneDX Software Bill of Materials (SBOM) documents for C/C++ projects using Conan
Python
23
star
21

license-scanner

Utility that provides an API and CLI to identify licenses and legal terms
Go
20
star
22

gh-node-module-generatebom

GitHub action to generate a CycloneDX SBOM for Node.js
JavaScript
20
star
23

cyclonedx-webpack-plugin

Create CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.
TypeScript
18
star
24

cyclonedx-node-yarn

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.
JavaScript
18
star
25

cyclonedx-ruby-gem

Creates CycloneDX Software Bill of Materials (SBOM) from Ruby projects
Ruby
17
star
26

cyclonedx-javascript-library

Core functionality of OWASP CycloneDX for JavaScript (Node.js or WebBrowser) written in TypeScript.
TypeScript
15
star
27

cyclonedx-web-tool

A web based tool for working with CycloneDX BOMs
HTML
15
star
28

cyclonedx-dotnet-library

.NET library to consume and produce CycloneDX Software Bill of Materials (SBOM)
C#
14
star
29

cyclonedx-cocoapods

Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
Ruby
14
star
30

sbom-comparator

Lockheed Martin developed utility to compare two CycloneDX SBOMs
Java
14
star
31

gh-python-generate-sbom

GitHub action to generate a CycloneDX SBOM for Python
JavaScript
12
star
32

cyclonedx-node-pnpm

Create CycloneDX Software Bill of Materials (SBOM) from Node.js PNPM projects.
12
star
33

cdxgen-action

GitHub action for CycloneDX BOM generator (cdxgen). cdxgen produced bom xml file can be uploaded to dependency track, AppThreat and other commercial Software Composition Analysis (SCA) products
JavaScript
9
star
34

gh-gomod-generate-sbom

GitHub action to generate a CycloneDX SBOM for Go modules
JavaScript
9
star
35

gh-dotnet-generate-sbom

GitHub action to generate a CycloneDX SBOM for .NET
JavaScript
8
star
36

cyclonedx-property-taxonomy

A taxonomy of all official property namespaces and names
8
star
37

sbom-combiner

Lockheed Martin developed utility to combine multiple CycloneDX SBOMs
Java
7
star
38

cyclonedx-authoring-tool

An experimental user interface for manually creating, editing, and viewing CycloneDX SBOMs
Vue
7
star
39

cyclonedx-php-library

PHP Implementation of CycloneDX Bill of Materials (BOM)
PHP
6
star
40

cyclonedx.org

Public website
HTML
5
star
41

guides

CSS
5
star
42

cyclonedx-nuget

Creates CycloneDX Software Bill-of-Materials (SBoM) from NuGet projects
Java
3
star
43

cyclonedx-buildroot

Create CycloneDX Software Bill of Materials (SBOM) for Buildroot projects
Python
2
star
44

cdxgen-plugins-bin

Binary plugins for @cyclonedx/cdxgen npm package
PowerShell
2
star
45

sbom-commons

Lockheed Martin developed common SBOM library
Java
1
star
46

homebrew-cyclonedx

CycloneDX Homebrew Tap
Ruby
1
star
47

cyclonedx-conda

conda plugin to generate CycloneDX SBOM
1
star
48

cyclonedx-otm-java

EXPERIMENTAL CycloneDX library and utility to convert BOMs into Open Threat Model (OTM) format
Java
1
star
49

gh-php-composer-generate-sbom

GitHub action to generate a CycloneDX SBOM for PHP Composer
JavaScript
1
star
50

sbom-commons-combiner

Lockheed Martin developed common library to combine multiple SBOMs
Java
1
star
51

gh-cocoapods-generate-sbom

GitHub action to generate a CycloneDX SBOM for Swift and Objective-C projects that use CocoaPods.
1
star
52

cyclonedx-esbuild-plugin

Create CycloneDX Software Bill of Materials (SBOM) from esbuild bundles at compile time.
1
star