-
-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generating SBOM for Java apps built with Ant #177
Comments
If you're using Ivy, you should be able to use the Maven plugin with Ant/Ivy. If you're not using Ivy, then its highly likely you're manually managing dependencies, in which case you'll also need to manually manage the SBOM, or acquire a binary analysis tool that can evaluate the dependencies and generate the SBOM from the evidence. |
I had assumed that the CycloneDX CLI tool would actually scan the binaries and produce a similar SBOM the same as the Maven/Gradle plugin. Is that not the case? Would the scancode toolkit be a binary scanner to start with? |
The CycloneDX CLI is a useful utility that does many things. But it doesn't understand any build systems or file types, that's not in scope for the app. The CLI can create source SBOMs, basically a listing of all sources files and their properties. So that's likely not what you're looking for. scancode toolkit would be my first choice, yes. scancode also supports CycloneDX. |
Steve, |
I have not contributed to Dependency-Check or the Jenkins plugin for several years. The Jenkins plugin has a new maintainer. I have no idea if there are tools that support exporting to CycloneDX from Dependency-Check. You may want to ask that community. |
Hello Team,
What tool can I use to generate SBOM for Java applications built with Ant? There does not appear to be a specific plugin for Ant (only Maven and Gradle) and the CLI tool does not actually generate library components and scan the jars to determine the version/license.
Thanks.
The text was updated successfully, but these errors were encountered: