Setting up the CycloneDX SBOM generation
A guide on how to use the CycloneDX plugins for the main package managers to create SBOM files.
CI/CD vs Central SBOM Generation
If you do not have an existing SBOM generation process we recommend using a central tool, such as our open-source tool SBOM booster. It allows you to quickly generate SBOMs from your source code in a reliable manner.
The NTIA (and many other security initiatives) do however require/emphasize the best practice to tie the SBOM generation to the build process (e.g. "with every new build a new SBOM should be created). Hence, CI/CD pipelines prove the ultimate location to place the SBOM generation. In this regard, we recommend the below CycloneDX trusted plugins.
Integrating CycloneDX plugins for various environments
We also provide a GitHub action that can easily be used in combination with the SBOM generation to streamline your onboarding of SBOMs to VSM.
Maven
GitHub project: https://github.com/CycloneDX/cyclonedx-maven-plugin
Slack channel: https://cyclonedx.slack.com/archives/CVCKP34A2
- Add the CycloneDX Maven plugin to your
pom.xml
:
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.3</version>
</plugin>
</plugins>
There are more configuration options (see the GitHub project for details). But the default should suffice for most cases.
- Run the below command:
mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom
- Find the CycloneDX SBOM JSON under
./target
Gradle / Kotlin
GitHub project: https://github.com/CycloneDX/cyclonedx-gradle-plugin
Slack channel: https://cyclonedx.slack.com/archives/CVC9GTY5V
- Add the CycloneDX Gradle plugin to your
build.gradle
orsettings.gradle.kts
for Kotlin:
plugins {
id 'org.cyclonedx.bom' version '1.7.2'
}
tasks.cyclonedxBom {
setDestination(project.file("."))
}
There are more configuration options (see the GitHub project for details). But the default should suffice for most cases.
- Run the below command:
gradle cyclonedxBom
- Find the CycloneDX SBOM JSON under
./bom.json
.
via GitHub Action
name: Generate and register service
on:
push:
branches:
- main
jobs:
post-deploy:
name: Post Deployment
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set up JDK temurin 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
- name: Run gradlew cyclonedxBom task
uses: gradle/gradle-build-action@v2
with:
build-root-directory: .
arguments: cyclonedxBom
# Invoke the GitHub action to register the service with SBOM
- name: VSM discovery
uses: leanix/[email protected]
with:
api-token: ${{ secrets.VSM_LEANIX_API_TOKEN }}
# dry-run: true
dotnet
GitHub project: https://github.com/CycloneDX/cyclonedx-dotnet
Slack channel: XXXXX
- Install the CycloneDX go plugin to your dotnet project by running:
dotnet tool install --global CycloneDX
- Run the below command
dotnet CycloneDX <project path> -o <path to the CycloneDX json file>
Where "project path" is the path to a .sln, .csproj, .fsproj, .vbproj, or packages.config file or the path to a directory that will be recursively analyzed for packages.config files. There are more configuration options (see the GitHub project for details). But the above command should suffice for most cases.
- Find the CycloneDX SBOM JSON under
<path to the CycloneDX json file>
you specified in the-o
parameter.
npm
GitHub project: https://github.com/CycloneDX/cyclonedx-node-npm
Slack channel: https://cyclonedx.slack.com/archives/CVCKR4WG6
- Install the CycloneDX npm plugin to your project by running:
npm install --global @cyclonedx/cyclonedx-npm
- Run the below command:
cyclonedx-npm --output-file "<path to the CycloneDX json file>"
There are more configuration options (see the GitHub project for details). But the above command should suffice for most cases.
- Find the CycloneDX SBOM JSON under
<path to the CycloneDX json file>
.
via GitHub Action
name: Generate and register service
on:
push:
branches:
- main
jobs:
post-deploy:
name: Post Deployment
runs-on: ubuntu-latest
steps:
- name: Setup Node ${{ env.NODE_VERSION }} Environment
uses: actions/setup-node@v1
with:
node-version: ${{ env.NODE_VERSION }}
# Use the respective command to generate SBOM file
- name: Generate SBOM
run: |
npm install --global @cyclonedx/cyclonedx-npm
cyclonedx-npm --output-file "bom.json"
# Invoke the GitHub action to register the service with SBOM
- name: VSM discovery
uses: leanix/[email protected]
with:
api-token: ${{ secrets.VSM_LEANIX_API_TOKEN }}
# dry-run: true
pipy / poetry / conda
GitHub project: https://github.com/CycloneDX/cyclonedx-python
Slack channel: https://cyclonedx.slack.com/archives/CVA0QJEVA
- Install the CycloneDX python plugin to your python project by running:
with pip:
pip install cyclonedx-bom
with poetry:
poetry add cyclonedx-bom
- Run the below command:
for pip:
cyclonedx-py -pip --format json -o <path to the CycloneDX json file>
will look for the Pipefile.lock
file in the current working directory.
for conda:
cyclonedx-py -c --format json -o <path to the CycloneDX json file>
will build a SBOM based on the output from conda list --explicit
for poetry:
cyclonedx-py -p --format json -o <path to the CycloneDX json file>
will look for the poetry.lock
file in the current working directory.
for requirements.txt:
cyclonedx-py -r --format json -o <path to the CycloneDX json file>
will look for the requirements.txt
file in the current working directory.
for the current virtual environment:
cyclonedx-py -e --format json -o <path to the CycloneDX json file>
based on the packages installed in your current Python environment.
- Find the CycloneDX SBOM JSON under
<path to the CycloneDX json file>
you specified in the-o
parameter.
via GitHub Action
see a live example using the below workflow here:
name: Generate and register service with SBOM in VSM
on:
push:
branches:
- "main"
jobs:
build:
name: Post Deployment
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: "3.8.3"
cache: "pip"
- run: |
pip install -r requirements.txt
cyclonedx-py -r -F --format json -o bom.json
# Invoke the GitHub action to register the service with SBOM
- name: VSM discovery
uses: leanix/[email protected]
with:
api-token: ${{ secrets.VSM_LEANIX_API_TOKEN }}
# dry-run: true
Go
GitHub project: https://github.com/CycloneDX/cyclonedx-gomod
Slack channel: XXXXX
- Install the CycloneDX go plugin to your go project by running:
go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
- Run the below command
cyclonedx-gomod app -json -output <path to the CycloneDX json file> -files -licenses -main cmd/acme-app /usr/src/acme-module
There are more configuration options (see the GitHub project for details). But the above command should suffice for most cases.
- Find the CycloneDX SBOM JSON under
<path to the CycloneDX json file>
you specified in the-output
parameter.
Ruby
GitHub project: https://github.com/CycloneDX/cyclonedx-ruby-gem
Slack channel: https://cyclonedx.slack.com/archives/CUZ0DV9PD
- Install the CycloneDX Ruby Gem:
gem install cyclonedx-ruby
- Run the below command:
cyclonedx-ruby -p /path/to/ruby/project
- Find the CycloneDX SBOM JSON in the project directory.
More
Please visit the GitHub project from the CycloneDX initiative to find plugins for other package managers as well.
Updated 2 months ago