dev-resources.site
for different kinds of informations.
CycloneDX SBom (Software Bill of material) Maven Demo
Published at
8/17/2022
Categories
sbom
maven
cyclonedx
vulnerability
Author
rvsoni
Author
6 person written this
rvsoni
open
cyclonedx-maven-demo
CycloneDX SBom (Software Bill of material) Maven Demo
Nowadays securing the software supply chain is a very important aspect of the software development and delivery ecosystem.
CycloneDX is a software bill of material format supported by OWASP.
CycloneDX is a very lightweight SBOM, which represents all direct and transitive dependencies added to Maven pom.xml file.
CycloneDX provides various tool sets to generate SBOM from many different programing language projects. ie. Java, Python, Node, etc. Ref. CycloneDX Tools ecosystem
This sample project is using Maven build system for generating artifacts. cyclonedx-maven-plugin is used for generating CycloneDX SBom file.
CycloneDX SBOM file can be used for project vulnerability analysis using the OWASP Dependency Track](https://dependencytrack.org/) application
Sample cyclonedx-maven-plugin configuration.
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.0</version>
<configuration>
<projectType>library</projectType>
<schemaVersion>1.3</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>true</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>true</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeLicenseText>false</includeLicenseText>
<outputFormat>all</outputFormat>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
Execution of Maven build command would generate SBOM files in target folder with name bom.json and bom.xml
mvn clean install
Maven build output
[INFO] --- cyclonedx-maven-plugin:2.7.0:makeAggregateBom (default) @ cyclonedx-maven-demo ---
[INFO] CycloneDX: Parameters
[INFO] ------------------------------------------------------------------------
[INFO] schemaVersion : 1.3
[INFO] includeBomSerialNumber : true
[INFO] includeCompileScope : true
[INFO] includeProvidedScope : true
[INFO] includeRuntimeScope : true
[INFO] includeTestScope : false
[INFO] includeSystemScope : true
[INFO] includeLicenseText : false
[INFO] outputReactorProjects : true
[INFO] outputFormat : all
[INFO] outputName : bom
[INFO] ------------------------------------------------------------------------
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.json
Check CycloneDX SBOM files in a target folder
[ravi.soni@GB8TRF2 cyclonedx-maven-demo] $ ls -l target/
total 17380
-rw-rw-r-- 1 ravi.soni ravi.soni 81647 Jul 14 16:05 bom.json
-rw-rw-r-- 1 ravi.soni ravi.soni 69804 Jul 14 16:05 bom.xml
drwxrwxr-x 3 ravi.soni ravi.soni 4096 Jul 14 16:05 classes
-rw-rw-r-- 1 ravi.soni ravi.soni 17619933 Jul 14 16:05 cyclonedx-maven-demo-0.0.1-SNAPSHOT.jar
-rw-rw-r-- 1 ravi.soni ravi.soni 3247 Jul 14 16:05 cyclonedx-maven-demo-0.0.1-SNAPSHOT.jar.original
drwxrwxr-x 3 ravi.soni ravi.soni 4096 Jul 14 16:05 generated-sources
drwxrwxr-x 2 ravi.soni ravi.soni 4096 Jul 14 16:05 maven-archiver
drwxrwxr-x 3 ravi.soni ravi.soni 4096 Jul 14 16:05 maven-status
The best way to verify all dependencies (direct and transitive) of the project is to run a Maven command and print on the console.
mvn dependency:tree
Output a dependency tree of a project.
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ cyclonedx-maven-demo ---
[INFO] com.rvsoni.maven:cyclonedx-maven-demo:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.7.1:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.7.1:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:2.7.1:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.1:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.1:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.7.1:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] | | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] | | | \- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.1:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.64:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.64:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.64:compile
[INFO] | +- org.springframework:spring-web:jar:5.3.21:compile
[INFO] | | \- org.springframework:spring-beans:jar:5.3.21:compile
[INFO] | \- org.springframework:spring-webmvc:jar:5.3.21:compile
[INFO] | +- org.springframework:spring-aop:jar:5.3.21:compile
[INFO] | +- org.springframework:spring-context:jar:5.3.21:compile
[INFO] | \- org.springframework:spring-expression:jar:5.3.21:compile
[INFO] \- org.springframework.boot:spring-boot-starter-test:jar:2.7.1:test
[INFO] +- org.springframework.boot:spring-boot-test:jar:2.7.1:test
[INFO] +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.1:test
[INFO] +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO] | +- net.minidev:json-smart:jar:2.4.8:test
[INFO] | | \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO] | | \- org.ow2.asm:asm:jar:9.1:test
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO] | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO] +- org.assertj:assertj-core:jar:3.22.0:test
[INFO] +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO] | +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] | | +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] | | +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] | | \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] | +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO] | \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] | \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] +- org.mockito:mockito-core:jar:4.5.1:test
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.12.11:test
[INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.12.11:test
[INFO] | \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO] +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] | \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] +- org.springframework:spring-core:jar:5.3.21:compile
[INFO] | \- org.springframework:spring-jcl:jar:5.3.21:compile
[INFO] +- org.springframework:spring-test:jar:5.3.21:test
[INFO] \- org.xmlunit:xmlunit-core:jar:2.9.0:test
Once a project is built run a jqcommand to print the same depencency information from bom.json file.
jq '.components[]| "\(.group)/\(.name)@\(.version)" ' target/bom.json
Output
[ravi.soni@GB8TRF2 cyclonedx-maven-demo] $ jq '.components[]| "\(.group)/\(.name)@\(.version)" ' target/bom.json
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"ch.qos.logback/[email protected]"
"ch.qos.logback/[email protected]"
"org.apache.logging.log4j/[email protected]"
"org.apache.logging.log4j/[email protected]"
"org.slf4j/[email protected]"
"jakarta.annotation/[email protected]"
"org.yaml/[email protected]"
"org.springframework.boot/[email protected]"
"com.fasterxml.jackson.core/[email protected]"
"com.fasterxml.jackson.core/[email protected]"
"com.fasterxml.jackson.core/[email protected]"
"com.fasterxml.jackson.datatype/[email protected]"
"com.fasterxml.jackson.datatype/[email protected]"
"com.fasterxml.jackson.module/[email protected]"
"org.springframework.boot/[email protected]"
"org.apache.tomcat.embed/[email protected]"
"org.apache.tomcat.embed/[email protected]"
"org.apache.tomcat.embed/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.slf4j/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
vulnerability Article's
30 articles in total
Beware of Spring Boot Actuator Endpoint env: A Security Alert
read article
OWASP Broken Access Control Vulnerabilities
read article
Server side (vulnerability scanning)
read article
Patch your servers! It's time of regreSSHion
read article
buffer Overflow (Application Vulnerability)
read article
Death to the invincible engineer
read article
Unveiling the XZ Backdoor: A Deep Dive into the Shocking Supply Chain Attack
read article
Understanding Cross-Site Scripting (XSS)
read article
Death to the invincible engineer
read article
What is Race Condition Vulnerability?
read article
Port Scan Tools
read article
Docker Scout
read article
What is path travelsal vulnerability?
read article
Insecure Direct Object Reference (IDOR) vulnerability types
read article
Rational Shift-Left Security for Developers
read article
Mastering Node.js Security: Top Strategies for Resolving Vulnerabilities
read article
10 Best Vulnerability Scanner Tools For Penetration Testing
read article
Comprised Mac Studio — Hacked Developer Server - Remote Access Technology
read article
sudoedit (`sudo -e`) security flaw (CVE-2023-22809)
read article
Un Dependabot más inteligente y silencioso
read article
sudoedit (`sudo -e`) に係る脆弱性 (CVE-2023-22809)
read article
CVE vulnerabilities on Google Chrome prior to releases around on Dec. 2022
read article
Google Chrome の CVE 脆弱性: 2022 年 12 月頃のリリースバージョンまで
read article
Spring Framework 6.0.0 compatibility with Java 11
read article
Top websites for website vulnerability checks online
read article
P1 Bug Bounties: What is an IDOR, and how does IDOR == $$$?
read article
Sekurak MSHP CTF Summary - Part 1
read article
How I found an S3 vulnerability in a $85 million funded startup and reported it ethically
read article
CycloneDX SBom (Software Bill of material) Maven Demo
currently reading
Forging GraphQL Bombs, the 2022 version of Zip Bombs
read article
Featured ones: