Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sbt/sbt-sbom

sbt bom.xml exporter
https://github.com/sbt/sbt-sbom

bom cyclonedx dependency-analysis plugin sbt scala security-tools

Last synced: 2 months ago
JSON representation

sbt bom.xml exporter

Host: GitHub
URL: https://github.com/sbt/sbt-sbom
Owner: sbt
License: mit
Created: 2019-03-19T13:58:11.000Z (almost 6 years ago)
Default Branch: main
Last Pushed: 2024-10-26T22:49:23.000Z (3 months ago)
Last Synced: 2024-10-26T23:59:56.827Z (3 months ago)
Topics: bom, cyclonedx, dependency-analysis, plugin, sbt, scala, security-tools
Language: Scala
Homepage:
Size: 274 KB
Stars: 20
Watchers: 7
Forks: 7
Open Issues: 12
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# sbt-sbom

*sbt SBOM exporter*

The aim of this [project](https://github.com/sbt/sbt-sbom/) is to:

- extract a valid [CycloneDx](https://cyclonedx.org/) bom file from [sbt](https://www.scala-sbt.org/) projects
- ensure that the bom file is processable with Software Composition Analysis tools (like [Dependency Track](https://dependencytrack.org/))

Current version of the plugin is 0.3.0, published to the Central Repository.

Snapshot version are published to the [Sonatype Repository](https://s01.oss.sonatype.org/content/repositories/snapshots).

## usage

### project setup

Add the plugin dependency to the file `project/plugins.sbt` using `addSbtPlugin` :

`addSbtPlugin("io.github.siculo" %% "sbt-bom" % "0.3.0")`

Note that the minimum supported version of sbt is 1.5.2 (this is what the [scripted](https://www.scala-sbt.org/1.x/docs/Testing-sbt-plugins.html#scripted+test+framework) tests target)

### BOM creation

To create the bom for the default configuration use `makeBom` command:

`> sbt makeBom`

This creates the BOM file inside the `target` directory. The name of the file created depends on the `name` and `version` property of the current project. For example, if name and version are `myArtifact` and `1.0`, the file name is `myArtifact-1.0.bom.xml`.

### scope selection

It is possible to create the BOM for different scopes, so that all dependencies of the scopes are included in the generated BOM files. The default scope is `Compile`. For now the other supported scopes are `Test` and `IntegrationTest`. To generate the BOM for a certain scope, add the scope as a prefix to the `makeBom` command:

`> sbt Test / makeBom`

`> sbt IntegrationTest / makeBom`

### listing BOM content

The `listBom` command can be used to generate the contents of the BOM without writing it to a file. The BOM is returned as command output. To display the BOM content use:

`> sbt show listBom`

### configuration

| Setting | Type | Description |
|-------------|--------|---------------|
| bomFileName | String | bom file name |

Sample configuration:

```scala
lazy val root = (project in file("."))
.settings(
bomFileName := "bom.xml",
Test / bomFileName := "test.bom.xml",
IntegrationTest / bomFileName := "integrationTest.bom.xml",
)
```

## CycloneDX support

Actually, only version 1.0 of the CycloneDX specification is supported. Support for later versions of the specification, such as for creating BOMs in json format, is expected later.

## Contributing

### testing

There are two types of test: unit test done with scalatest and scripted test

### unit test

Unit tests are written using scalatest syntax. Only pure logic classes are tested using these tests.

To run unit tests use the `test` command to run all tests, or `testOnly ...` command specifying the list of test to be
executed.

### scripted tests

[Scripted](https://www.scala-sbt.org/1.x/docs/Testing-sbt-plugins.html) is a tool that allow you to test sbt plugins.
For each test it is necessary to create a specially crafted project. These projects are inside src/sbt-test directory.

Scripted tests are run using `scripted` command.

### Formatting

The codebase is formatted with [scalafmt](https://scalameta.org/scalafmt/), as such the codebase needs to be formatted
before submitting a PR.

Various runners for Scalafmt exist, such as
* A [sbt scalafmt plugin](https://github.com/scalameta/sbt-scalafmt) that lets you run scalafmt directly within sbt using
* `scalafmt` to format base scala sources
* `test:scalafmt` to format test scala sources
* `scalafmtSbt` to format the `build.sbt` file
* `scalafmtAll` to format everything
* IntelliJ IDEA and VSCode will automatically detect projects with scalafmt and prompt you whether to use Scalafmt. See
the [scalafmt installation guide][scalafmt-installation-link] for more details
* There are native builds of Scalafmt that let you run a `scalafmt` as a CLI tool, see the CLI section in
[scalafmt installation guide][scalafmt-installation-link]

Note that a [GitHub action exists](https://github.com/sbt/sbt-sbom/blob/main/.github/workflows/format.yml) which will
check that your code is formatted whenever you create a PR.

### Linting

This project uses [scalafix](https://scalacenter.github.io/scalafix/) as a linter/style guide enforcer. To run scalafix
you can simply do

```sbt
clean test/clean scalafixAll
```

Note that its possible that running scalafix may generate code that isn't compliant with scalafmt so it's
a good idea to [run scalafmt](#formatting) on the code afterward

## changelog

### v0.4.0

### v0.3.0
- The BOM is generated so that it takes into account the Scope (Compile, Test...) and its dependencies
- targetBomFile setting replaced by bomFileName
- default BOM file name is ${artifactId}-${version}.bom.xml
- GroupId has been changed to io.github.siculo
- Generated BOM is a valid 1.0 BOM file (removed unespected properties like BOM serial number and license URL)

### v0.2.0
- The cyclonedx-core-java library has been integrated and is used to generate the BOM
- Removed all old model classes used so far

### v0.1.0
- First release

[scalafmt-installation-link]: https://scalameta.org/scalafmt/docs/installation.html