Generating SBOM for Java apps built with Ant #177
Comments
lweitzel01
changed the title
|
If you're using Ivy, you should be able to use the Maven plugin with Ant/Ivy. If you're not using Ivy, then its highly likely you're manually managing dependencies, in which case you'll also need to manually manage the SBOM, or acquire a binary analysis tool that can evaluate the dependencies and generate the SBOM from the evidence. |
|
I had assumed that the CycloneDX CLI tool would actually scan the binaries and produce a similar SBOM the same as the Maven/Gradle plugin. Is that not the case? Would the scancode toolkit be a binary scanner to start with? |
|
The CycloneDX CLI is a useful utility that does many things. But it doesn't understand any build systems or file types, that's not in scope for the app. The CLI can create source SBOMs, basically a listing of all sources files and their properties. So that's likely not what you're looking for. scancode toolkit would be my first choice, yes. scancode also supports CycloneDX. |
|
Steve, |
|
I have not contributed to Dependency-Check or the Jenkins plugin for several years. The Jenkins plugin has a new maintainer. I have no idea if there are tools that support exporting to CycloneDX from Dependency-Check. You may want to ask that community. |
Hello Team,
What tool can I use to generate SBOM for Java applications built with Ant? There does not appear to be a specific plugin for Ant (only Maven and Gradle) and the CLI tool does not actually generate library components and scan the jars to determine the version/license.
Thanks.
The text was updated successfully, but these errors were encountered: