Syft
Generates SBOMs using Syft. Multiple formats may be used at the same time.
Catalogs may be checksumed and signed when packed.
| Snapshots are not allowed. |
Configuration
Legend:
-
required
-
optional
-
may use environment variable
-
accepts Name Templates
#
catalog:
sbom:
#
syft:
# Catalogers require a name.
#
app:
# Enables or disables the cataloger.
# Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
# Defaults to `NEVER`.
#
active: ALWAYS
# Enables distribution artifacts for cataloging.
# Defaults to `true`.
#
distributions: true
# Enables files for cataloging.
# Defaults to `true`.
#
files: true
# Additional properties used when evaluating templates.
#
extraProperties:
# Key will be capitalized and prefixed with `syft`, i.e, `syftFoo`.
foo: bar
# Archive all SBOMs.
#
pack:
# Enables or disables archiving.
# Defaults to `false`.
#
enabled: true
# Defines the name of the archive.
# Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
#
name: '{{projectName}}-{{projectVersion}}-sboms'
# Version of tool to use.
# If unspecified, will use 1.2.0.
#
version: 1.2.0
# Target SBOM format(s).
# If unspecified, [`SPDX_JSON`].
#
formats:
- SPDX_JSON
- CYCLONEDX_JSON#
[catalog.sbom.syft]
# Enables or disables the cataloger.
# Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
# Defaults to `NEVER`.
#
active = "ALWAYS"
# Enables distribution artifacts for cataloging.
# Defaults to `true`.
#
distributions = true
# Enables files for cataloging.
# Defaults to `true`.
#
files = true
# Additional properties used when evaluating templates.
#
extraProperties.foo = "bar"
# Key will be capitalized and prefixed with `syft`, i.e, `syftFoo`.
# Archive all SBOMs.
#
# Enables or disables archiving.
# Defaults to `false`.
#
pack.enabled = true
# Defines the name of the archive.
# Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
#
pack.name = "{{projectName}}-{{projectVersion}}-sboms"
# Version of tool to use.
# If unspecified, will use 1.2.0.
#
version = "1.2.0"
# Target SBOM format(s).
# If unspecified, [`SPDX_JSON`].
#
formats = ["SPDX_JSON", "CYCLONEDX_JSON"]{
//
"catalog": {
"sbom": {
//
"syft": {
// Enables or disables the cataloger.
// Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
// Defaults to `NEVER`.
//
"active": "ALWAYS",
// Enables distribution artifacts for cataloging.
// Defaults to `true`.
//
"distributions": true,
// Enables files for cataloging.
// Defaults to `true`.
//
"files": true,
// Additional properties used when evaluating templates.
//
"extraProperties": {
// Key will be capitalized and prefixed with `syft`, i.e, `syftFoo`.
"foo": "bar"
},
// Archive all SBOMs.
//
"pack": {
// Enables or disables archiving.
// Defaults to `false`.
//
"enabled" = true,
// Defines the name of the archive.
// Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
//
"name" = "{{projectName}}-{{projectVersion}}-sboms"
},
// Version of tool to use.
// If unspecified, will use 1.2.0.
//
"version": "1.2.0",
// Target SBOM format(s).
// If unspecified, [`SPDX_JSON`].
//
"formats": [
"SPDX_JSON",
"CYCLONEDX_JSON"
]
}
}
}
}<jreleaser>
<!--
-->
<catalog>
<sbom>
-->
<syft>
<!--
Enables or disables the cataloger.
Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
Defaults to `NEVER`.
-->
<active>ALWAYS</active>
<!--
Enables distribution artifacts for cataloging.
Defaults to `true`.
-->
<distributions>true</distributions>
<!--
Enables files for cataloging.
Defaults to `true`.
-->
<files>true</files>
<!--
Additional properties used when evaluating templates.
-->
<extraProperties>
<!--
Key will be capitalized and prefixed with `syft`, i.e, `syftFoo`.
-->
<foo>bar</foo>
</extraProperties>
<!--
Archive all SBOMs.
-->
<pack>
<!--
Enables or disables archiving.
Defaults to `false`.
-->
<enabled>true</enabled>
<!--
Defines the name of the archive.
Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
-->
<name>{{projectName}}-{{projectVersion}}-sboms</name>
</pack>
<!--
Version of tool to use.
If unspecified, will use 1.2.0.
-->
<version>1.2.0</version>
<!--
Target SBOM format(s).
If unspecified, [`SPDX_JSON`].
-->
<formats>
<format>SPDX_JSON</format>
<format>CYCLONEDX_JSON</format>
</formats>
</syft>
</sbom>
</catalog>
</jreleaser>jreleaser {
//
catalog {
sbom {
//
syft {
// Enables or disables the cataloger.
// Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
// Defaults to `NEVER`.
//
active = 'ALWAYS'
// Enables distribution artifacts for cataloging.
// Defaults to `true`.
//
distributions = true
// Enables files for cataloging.
// Defaults to `true`.
//
files = true
// Additional properties used when evaluating templates.
// Key will be capitalized and prefixed with `syft`, i.e, `syftFoo`.
//
extraProperties.put('foo', 'bar')
// Archive all SBOMs.
//
pack {
// Enables or disables archiving.
// Defaults to `false`.
//
enabled = true
// Defines the name of the archive.
// Defaults to `{{projectName}}-{{projectVersion}}-sboms`.
//
name = '{{projectName}}-{{projectVersion}}-sboms'
}
// Version of tool to use.
// If unspecified, will use 1.2.0.
//
version = '1.2.0'
// Target SBOM format(s).
// If unspecified, [`SPDX_JSON`].
//
format('SPDX_JSON')
format('CYCLONEDX_JSON')
}
}
}
}Environment
When not explicitly set, the value of the following properties may be resolved from an environment variable or a system property as shown in the table. The system property takes precedence over the environment variable.
| System Property | Environment Variable |
|---|---|
active |
|
jreleaser.catalog.sbom.syft.active |
JRELEASER_CATALOG_SBOM_SYFT_ACTIVE |