sbt SBOM exporter
The aim of this project is to:
- extract a valid CycloneDx bom file from sbt projects
- ensure that the bom file is processable with Software Composition Analysis tools (like Dependency Track)
Current version of the plugin is 0.3.0, published to the Central Repository.
Snapshot version are published to the Sonatype Repository.
Add the plugin dependency to the file project/plugins.sbt
using addSbtPlugin
:
addSbtPlugin("io.github.siculo" %% "sbt-bom" % "0.3.0")
Note that the minimum supported version of sbt is 1.5.2 (this is what the scripted tests target)
To create the bom for the default configuration use makeBom
command:
> sbt makeBom
This creates the BOM file inside the target
directory. The name of the file created depends on the name
and version
property of the current project. For example, if name and version are myArtifact
and 1.0
, the file name is myArtifact-1.0.bom.xml
.
It is possible to create the BOM for different scopes, so that all dependencies of the scopes are included in the generated BOM files. The default scope is Compile
. For now the other supported scopes are Test
and IntegrationTest
. To generate the BOM for a certain scope, add the scope as a prefix to the makeBom
command:
> sbt Test / makeBom
> sbt IntegrationTest / makeBom
The listBom
command can be used to generate the contents of the BOM without writing it to a file. The BOM is returned as command output. To display the BOM content use:
> sbt show listBom
Setting | Type | Default | Description |
---|---|---|---|
bomFileName | String | "${artifactId}-${artifactVersion}.bom.xml" |
bom file name |
bomFormat | String | json or xml , defaults to the format of bomFileName or else json |
bom format |
bomSchemaVersion | String | "1.6" |
bom schema version |
includeBomSerialNumber | Boolean | false |
include serial number in bom |
includeBomTimestamp | Boolean | false |
include timestamp in bom |
includeBomToolVersion | Boolean | true |
include tool version in bom |
includeBomHashes | Boolean | true |
include artifact hashes in bom |
enableBomSha3Hashes | Boolean | true |
enable the generation of sha3 hashes (not available on java 8) |
includeBomExternalReferences | Boolean | true |
include external references in bom |
includeBomDependencyTree | Boolean | true |
include dependency tree in bom (bomSchemaVersion 1.1 and later) |
Sample configuration:
lazy val root = (project in file("."))
.settings(
bomFileName := "bom.xml",
Test / bomFileName := "test.bom.xml",
IntegrationTest / bomFileName := "integrationTest.bom.xml",
)
This plugin supports the CycloneDX XML and JSON BOM formats.
We believe this plugin is stable enough to be used in production, but we do not yet promise API stability: you may need to make configuration changes or encounter changed behaviour when updating the plugin.
There are two types of test: unit test done with scalatest and scripted test
Unit tests are written using scalatest syntax. Only pure logic classes are tested using these tests.
To run unit tests use the test
command to run all tests, or testOnly ...
command specifying the list of test to be
executed.
Scripted is a tool that allow you to test sbt plugins. For each test it is necessary to create a specially crafted project. These projects are inside src/sbt-test directory.
Scripted tests are run using scripted
command. Note that these fail on JDK 21 due to the old version of sbt.
The codebase is formatted with scalafmt, as such the codebase needs to be formatted before submitting a PR.
Various runners for Scalafmt exist, such as
- A sbt scalafmt plugin that lets you run scalafmt directly within sbt using
scalafmt
to format base scala sourcestest:scalafmt
to format test scala sourcesscalafmtSbt
to format thebuild.sbt
filescalafmtAll
to format everything
- IntelliJ IDEA and VSCode will automatically detect projects with scalafmt and prompt you whether to use Scalafmt. See the scalafmt installation guide for more details
- There are native builds of Scalafmt that let you run a
scalafmt
as a CLI tool, see the CLI section in scalafmt installation guide
Note that a GitHub action exists which will check that your code is formatted whenever you create a PR.
This project uses scalafix as a linter/style guide enforcer. To run scalafix you can simply do
clean test/clean scalafixAll
Note that its possible that running scalafix may generate code that isn't compliant with scalafmt so it's a good idea to run scalafmt on the code afterward
- The BOM is generated so that it takes into account the Scope (Compile, Test...) and its dependencies
- targetBomFile setting replaced by bomFileName
- default BOM file name is ${artifactId}-${version}.bom.xml
- GroupId has been changed to io.github.siculo
- Generated BOM is a valid 1.0 BOM file (removed unespected properties like BOM serial number and license URL)
- The cyclonedx-core-java library has been integrated and is used to generate the BOM
- Removed all old model classes used so far
- First release