The CycloneDX Gradle plugin creates an aggregate of all direct and transitive dependencies of a project and creates a valid CycloneDX bill-of-materials document from the results. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.
Execution:
gradle cyclonedxBomOutput CycloneDX Generation Info:
gradle cyclonedxBom -infoExclude BOM Serial Number:
gradle cyclonedxBom -Pcyclonedx.includeBomSerialNumber=falsebuild.gradle (excerpt)
plugins {
id 'org.cyclonedx.bom'
}
apply plugin: 'java'
apply plugin: 'maven'
repositories {
mavenCentral()
}settings.gradle (excerpt)
pluginManagement {
resolutionStrategy {
eachPlugin {
if (requested.id.toString() == 'org.cyclonedx.bom') {
useModule('org.cyclonedx:cyclonedx-gradle-plugin:1.1.1')
}
}
}
repositories {
mavenCentral()
}
}Once a BOM is generated, it will reside at ./build/reports/bom.xml
Configuration: You can control the configurations included in the BOM:
cyclonedxBom {
// skipConfigs is a list of configuration names to exclude when generating the BOM
skipConfigs += ["compileClasspath", "testCompileClasspath"]
}Run gradle with info logging (-i option) to see which configurations add to the BOM.
CycloneDX Gradle Plugin is Copyright (c) Steve Springett. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.