CycloneDX
Generating SBOM for Java apps built with Ant
Hello Team,
What tool can I use to generate SBOM for Java applications built with Ant? There does not appear to be a specific plugin for Ant (only Maven and Gradle) and the CLI tool does not actually generate library components and scan the jars to determine the version/license.
Thanks.
If you're using Ivy, you should be able to use the Maven plugin with Ant/Ivy. If you're not using Ivy, then its highly likely you're manually managing dependencies, in which case you'll also need to manually manage the SBOM, or acquire a binary analysis tool that can evaluate the dependencies and generate the SBOM from the evidence.
I had assumed that the CycloneDX CLI tool would actually scan the binaries and produce a similar SBOM the same as the Maven/Gradle plugin. Is that not the case?
Would the scancode toolkit be a binary scanner to start with?
The CycloneDX CLI is a useful utility that does many things. But it doesn't understand any build systems or file types, that's not in scope for the app. The CLI can create source SBOMs, basically a listing of all sources files and their properties. So that's likely not what you're looking for.
scancode toolkit would be my first choice, yes. scancode also supports CycloneDX.
Steve, It looks like you contribute to the OWASP Dependency Checker as a binary scanner for jenkins which we use extensively. Are there any tools that would take the output from dependency checker and convert it to SBOM?
I have not contributed to Dependency-Check or the Jenkins plugin for several years. The Jenkins plugin has a new maintainer. I have no idea if there are tools that support exporting to CycloneDX from Dependency-Check. You may want to ask that community.