{"id":19248977,"url":"https://github.com/sbt/sbt-sbom","last_synced_at":"2026-02-28T08:36:13.809Z","repository":{"id":40351578,"uuid":"176523816","full_name":"sbt/sbt-sbom","owner":"sbt","description":"sbt bom.xml exporter","archived":false,"fork":false,"pushed_at":"2026-02-24T23:04:18.000Z","size":629,"stargazers_count":36,"open_issues_count":18,"forks_count":15,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-02-25T04:16:01.355Z","etag":null,"topics":["bom","cyclonedx","dependency-analysis","plugin","sbt","scala","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Scala","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sbt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-03-19T13:58:11.000Z","updated_at":"2026-02-24T23:04:22.000Z","dependencies_parsed_at":"2024-12-09T12:20:27.707Z","dependency_job_id":"be0f4483-4cad-47ae-a189-30f7eed90260","html_url":"https://github.com/sbt/sbt-sbom","commit_stats":null,"previous_names":["sbt/sbt-sbom","siculo/sbt-bom"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/sbt/sbt-sbom","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbt%2Fsbt-sbom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbt%2Fsbt-sbom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbt%2Fsbt-sbom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbt%2Fsbt-sbom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sbt","download_url":"https://codeload.github.com/sbt/sbt-sbom/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbt%2Fsbt-sbom/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29928982,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T19:37:42.220Z","status":"online","status_checked_at":"2026-02-28T02:00:07.010Z","response_time":90,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bom","cyclonedx","dependency-analysis","plugin","sbt","scala","security-tools"],"created_at":"2024-11-09T18:11:50.842Z","updated_at":"2026-02-28T08:36:13.799Z","avatar_url":"https://github.com/sbt.png","language":"Scala","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!--\nSPDX-FileCopyrightText: The sbt-sbom team\n\nSPDX-License-Identifier: MIT\n--\u003e\n\n# sbt-sbom\n\n*sbt SBOM exporter*\n\nThe aim of this [project](https://github.com/sbt/sbt-sbom/) is to:\n\n- extract a valid [CycloneDx](https://cyclonedx.org/) bom file from [sbt](https://www.scala-sbt.org/) projects\n- ensure that the bom file is processable with Software Composition Analysis tools (like [Dependency Track](https://dependencytrack.org/))\n\nCurrent version of the plugin is 0.5.0, published to the Central Repository.\n\nSnapshot version are published to the [Sonatype Repository](https://s01.oss.sonatype.org/content/repositories/snapshots).\n\n## usage\n\n### project setup\n\nAdd the plugin dependency to the file `project/plugins.sbt` using `addSbtPlugin` :\n\n`addSbtPlugin(\"com.github.sbt\" %% \"sbt-sbom\" % \"0.5.0\")`\n\nNote that the minimum supported version of sbt is 1.6.0 (this is what the [scripted](https://www.scala-sbt.org/1.x/docs/Testing-sbt-plugins.html#scripted+test+framework) tests target)\n\n### BOM creation\n\nTo create the bom for the default configuration use `makeBom` command:\n\n`\u003e sbt makeBom`\n\nThis creates the BOM file inside the `target` directory. The name of the file created depends on the `name` and `version` property of the current project. For example, if name and version are `myArtifact` and `1.0`, the file name is `myArtifact-1.0.bom.json`.\n\n### scope selection\n\nIt is possible to create the BOM for different scopes, so that all dependencies of the scopes are included in the generated BOM files. The default scope is `Compile`. For now the other supported scopes are `Provided`,`Test` and `IntegrationTest`. To generate the BOM for a certain scope, add the scope as a prefix to the `makeBom` command:\n\n`\u003e sbt Provided / makeBom`\n\n`\u003e sbt Test / makeBom`\n\n`\u003e sbt IntegrationTest / makeBom`\n\n### listing BOM content\n\nThe `listBom` command can be used to generate the contents of the BOM without writing it to a file. The BOM is returned as command output. To display the BOM content use: \n\n`\u003e sbt show listBom`\n\n### configuration\n\n| Setting                      | Type    | Default                                                                | Description                                                     |\n|------------------------------|---------|------------------------------------------------------------------------|-----------------------------------------------------------------|\n| bomFileName                  | String  | `\"${artifactId}-${artifactVersion}.bom.json\"`                          | bom file name                                                   |\n| bomFormat                    | String  | `json` or `xml`, defaults to the format of bomFileName or else `json`  | bom format                                                      |\n| bomSchemaVersion             | String  | `\"1.6\"`                                                                | bom schema version                                              |\n| includeBomSerialNumber       | Boolean | `false`                                                                | include serial number in bom                                    |\n| includeBomTimestamp          | Boolean | `false`                                                                | include timestamp in bom                                        |\n| includeBomToolVersion        | Boolean | `true`                                                                 | include tool version in bom                                     |\n| includeBomHashes             | Boolean | `true`                                                                 | include artifact hashes in bom                                  |\n| enableBomSha3Hashes          | Boolean | `true`                                                                 | enable the generation of sha3 hashes (not available on java 8)  |\n| includeBomExternalReferences | Boolean | `true`                                                                 | include external references in bom                              |\n| includeBomDependencyTree     | Boolean | `true`                                                                 | include dependency tree in bom (bomSchemaVersion 1.1 and later) |\n\nSample configuration:\n\n```scala\nlazy val root = (project in file(\".\"))\n  .settings(\n    bomFileName := \"bom.xml\",\n    Test / bomFileName := \"test.bom.xml\",\n    IntegrationTest / bomFileName := \"integrationTest.bom.xml\",\n  )\n```\n\n## CycloneDX support\n\nThis plugin supports the CycloneDX XML and JSON BOM formats.\n\n## Stability\n\nWe believe this plugin is stable enough to be used in production, but\nwe do not yet promise API stability: you may need to make configuration\nchanges or encounter changed behaviour when updating the plugin.\n\n## Contributing\n\n### testing\n\nThere are two types of test: unit test done with scalatest and scripted test\n\n### unit test\n\nUnit tests are written using scalatest syntax. Only pure logic classes are tested using these tests.\n\nTo run unit tests use the `test` command to run all tests, or `testOnly ...` command specifying the list of test to be\nexecuted.\n\n### scripted tests\n\n[Scripted](https://www.scala-sbt.org/1.x/docs/Testing-sbt-plugins.html) is a tool that allow you to test sbt plugins.\nFor each test it is necessary to create a specially crafted project. These projects are inside src/sbt-test directory.\n\nScripted tests are run using `scripted` command. Note that these fail on JDK 21 due to the old version of sbt.\n\n### Formatting\n\nThe codebase is formatted with [scalafmt](https://scalameta.org/scalafmt/), as such the codebase needs to be formatted\nbefore submitting a PR.\n\nVarious runners for Scalafmt exist, such as\n* A [sbt scalafmt plugin](https://github.com/scalameta/sbt-scalafmt) that lets you run scalafmt directly within sbt using\n    * `scalafmt` to format base scala sources\n    * `test:scalafmt` to format test scala sources\n    * `scalafmtSbt` to format the `build.sbt` file\n    * `scalafmtAll` to format everything\n* IntelliJ IDEA and VSCode will automatically detect projects with scalafmt and prompt you whether to use Scalafmt. See\n  the [scalafmt installation guide][scalafmt-installation-link] for more details\n* There are native builds of Scalafmt that let you run a `scalafmt` as a CLI tool, see the CLI section in\n  [scalafmt installation guide][scalafmt-installation-link]\n\nNote that a [GitHub action exists](https://github.com/sbt/sbt-sbom/blob/main/.github/workflows/format.yml) which will\ncheck that your code is formatted whenever you create a PR.\n\n### Linting\n\nThis project uses [scalafix](https://scalacenter.github.io/scalafix/) as a linter/style guide enforcer. To run scalafix\nyou can simply do\n\n```sbt\nclean test/clean scalafixAll\n```\n\nNote that its possible that running scalafix may generate code that isn't compliant with scalafmt so it's\na good idea to [run scalafmt](#formatting) on the code afterward\n\n## changelog\n\n### v0.4.0\n\n- Generate the latest supported CycloneDX version (1.6)\n- Default BOM file name is `${artifactId}-${version}.bom.json`\n- GroupId has been changed to `com.github.sbt`\n- SBOM extractor improvements\n\n### v0.3.0\n- The BOM is generated so that it takes into account the Scope (Compile, Test...) and its dependencies\n- targetBomFile setting replaced by bomFileName\n- default BOM file name is ${artifactId}-${version}.bom.xml\n- GroupId has been changed to io.github.siculo\n- Generated BOM is a valid 1.0 BOM file (removed unexpected properties like BOM serial number and license URL)\n\n### v0.2.0\n- The cyclonedx-core-java library has been integrated and is used to generate the BOM\n- Removed all old model classes used so far\n\n### v0.1.0\n- First release\n\n[scalafmt-installation-link]: https://scalameta.org/scalafmt/docs/installation.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbt%2Fsbt-sbom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsbt%2Fsbt-sbom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbt%2Fsbt-sbom/lists"}