CycloneDX

Generates SBOMs using CycloneDX. Multiple formats may be used at the same time.

Catalogs may be checksumed and signed when packed.

Individual and/or packed catalogs may be uploaded and released.

Snapshots are not allowed.

Configuration

Legend:

  • required

  • optional

  • may use environment variable

  • accepts Name Templates

  • YAML

  • TOML

  • JSON

  • Maven

  • Gradle

# 
catalog:
  sbom:
    # 
    cyclonedx:
      # Catalogers require a name.
      # 
      app:

        # Enables or disables the cataloger.
        # Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
        # Defaults to `NEVER`.
        #  
        active: ALWAYS

        # Enables distribution artifacts for cataloging.
        # Defaults to `true`.
        # 
        distributions: true

        # Enables files for cataloging.
        # Defaults to `true`.
        # 
        files: true

        # Additional properties used when evaluating templates.
        # 
        extraProperties:
          # Key will be capitalized and prefixed with `cyclonedx`, i.e, `cyclonedxFoo`.
          foo: bar

        # Archive all SBOMs.
        # 
        pack:
          # Enables or disables archiving.
          # Defaults to `false`.
          # 
          enabled: true

          # Defines the name of the archive.
          # Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
          # 
          name: '{{projectName}}-{{projectVersion}}-sboms'

        # Version of tool to use.
        # If unspecified, will use 1.12.2.
        # 
        version: 0.27.1

        # Target SBOM format(s).
        # If unspecified, [`JSON`].
        # 
        formats:
          - JSON
          - XML
# 
[catalog.sbom.cyclonedx]

  # Enables or disables the cataloger.
  # Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
  # Defaults to `NEVER`.
  #  
  active = "ALWAYS"

  # Enables distribution artifacts for cataloging.
  # Defaults to `true`.
  # 
  distributions = true

  # Enables files for cataloging.
  # Defaults to `true`.
  # 
  files = true

  # Additional properties used when evaluating templates.
  # 
  extraProperties.foo = "bar"
  # Key will be capitalized and prefixed with `cyclonedx`, i.e, `cyclonedxFoo`.

  # Archive all SBOMs.
  # 

  # Enables or disables archiving.
  # Defaults to `false`.
  # 
  pack.enabled = true

  # Defines the name of the archive.
  # Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
  # 
  pack.name = "{{projectName}}-{{projectVersion}}-sboms"

  # Version of tool to use.
  # If unspecified, will use 1.12.2.
  # 
  version = "0.27.1"

  # Target SBOM format(s).
  # If unspecified, [`JSON`].
  # 
  formats = ["JSON", "XML"]
{
  // 
  "catalog": {
    "sbom": {
      // 
      "cyclonedx": {
        // Enables or disables the cataloger.
        // Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
        // Defaults to `NEVER`.
        //  
        "active": "ALWAYS",

        // Enables distribution artifacts for cataloging.
        // Defaults to `true`.
        // 
        "distributions": true,

        // Enables files for cataloging.
        // Defaults to `true`.
        // 
        "files": true,

        // Additional properties used when evaluating templates.
        // 
        "extraProperties": {
          // Key will be capitalized and prefixed with `cyclonedx`, i.e, `cyclonedxFoo`.
          "foo": "bar"
        },

        // Archive all SBOMs.
        // 
        "pack": {
          // Enables or disables archiving.
          // Defaults to `false`.
          // 
          "enabled" = true,

          // Defines the name of the archive.
          // Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
          // 
          "name" = "{{projectName}}-{{projectVersion}}-sboms"
        },

          // Version of tool to use.
          // If unspecified, will use 1.12.2.
          // 
          "version": "0.27.1",

          // Target SBOM format(s).
          // If unspecified, [`JSON`].
          // 
          "formats": [
            "JSON",
            "XML"
          ]
      }
    }
  }
}
<jreleaser>
  <!--
    
  -->
  <catalog>
    <sbom>
        
      -->
      <cyclonedx>
        <!--
          Enables or disables the cataloger.
          Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
          Defaults to `NEVER`.
           
        -->
        <active>ALWAYS</active>

        <!--
          Enables distribution artifacts for cataloging.
          Defaults to `true`.
          
        -->
        <distributions>true</distributions>

        <!--
          Enables files for cataloging.
          Defaults to `true`.
          
        -->
        <files>true</files>

        <!--
          Additional properties used when evaluating templates.
          
        -->
        <extraProperties>
          <!--
            Key will be capitalized and prefixed with `cyclonedx`, i.e, `cyclonedxFoo`.
          -->
          <foo>bar</foo>
        </extraProperties>

        <!--
          Archive all SBOMs.
          
        -->
        <pack>
          <!--
            Enables or disables archiving.
            Defaults to `false`.
            
          -->
          <enabled>true</enabled>

          <!--
            Defines the name of the archive.
            Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
            
          -->
          <name>{{projectName}}-{{projectVersion}}-sboms</name>
        </pack>

          <!--
            Version of tool to use.
            If unspecified, will use 1.12.2.
            
          -->
          <version>0.27.1</version>

          <!--
            Target SBOM format(s).
            If unspecified, [`JSON`].
            
          -->
          <formats>
            <format>JSON</format>
            <format>XML</format>
          </formats>
      </cyclonedx>
    </sbom>
  </catalog>
</jreleaser>
jreleaser {
  // 
  catalog {
    sbom {
      // 
      cyclonedx {
        // Enables or disables the cataloger.
        // Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
        // Defaults to `NEVER`.
        //  
        active = 'ALWAYS'

        // Enables distribution artifacts for cataloging.
        // Defaults to `true`.
        // 
        distributions = true

        // Enables files for cataloging.
        // Defaults to `true`.
        // 
        files = true

        // Additional properties used when evaluating templates.
        // Key will be capitalized and prefixed with `cyclonedx`, i.e, `cyclonedxFoo`.
        // 
        extraProperties.put('foo', 'bar')

        // Archive all SBOMs.
        // 
        pack {
          // Enables or disables archiving.
          // Defaults to `false`.
          // 
          enabled = true

          // Defines the name of the archive.
          // Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
          // 
          name = '{{projectName}}-{{projectVersion}}-sboms'
       }

          // Version of tool to use.
          // If unspecified, will use 1.12.2.
          // 
          version = '0.27.1'

          // Target SBOM format(s).
          // If unspecified, [`JSON`].
          // 
          format('JSON')
          format('XML')
      }
    }
  }
}

Environment

When not explicitly set, the value of the following properties may be resolved from an environment variable or a system property as shown in the table. The system property takes precedence over the environment variable.

System Property Environment Variable

active

jreleaser.catalog.sbom.cyclonedx.active

JRELEASER_CATALOG_SBOM_CYCLONEDX_ACTIVE

Formats

The Cyclonedx cataloger supports the following formats:

  • JSON

  • XML

  • PROTOBUF

Skip Cataloging

Distributions and artifacts may define extra properties that may stop them from being cataloged. These properties must conform to the following rules:

  • skipSbom: skipped from all catalogers.

  • skipSbomCyclonedx: skipped from this cataloger.