safedep/vet
1
0
Fork 0
mirror of https://github.com/safedep/vet.git synced 2025-12-11 09:25:44 -06:00
Code Issues Packages Projects Releases 68 Wiki Activity

update dependency inventory doc

Browse Source
This commit is contained in:
Hardik Nanda 2024-09-14 12:35:50 +05:30
parent 26d68d49de
commit d0884a2ee5
3 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
docs/docs/guides/dependency-inventory.md
View File

@ -3,3 +3,55 @@ draft: true
---
# Dependency Inventory
## CycloneDX Plugin Integration
An official [plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin) can be used with build automation tools such as Gradle, Maven, etc. to generate Software Bill of Materials(SBOM) for a Java/Android/Kotlin projects.
### Gradle Plugin Integration
The gradle plugin for generating cyclonedx sbom file has to be integrated into the build script i.e. `build.gradle` file.
```groovy
plugins {
id 'org.cyclonedx.bom' version '1.10.0'
}
cyclonedxBom {
includeConfigs = ["runtimeClasspath"]
skipConfigs = ["compileClasspath", "testCompileClasspath"]
skipProjects = [rootProject.name, "yourTestSubProject"]
projectType = "application"
schemaVersion = "1.6"
destination = file("build/reports")
outputName = "bom"
outputFormat = "json"
includeBomSerialNumber = false
includeLicenseText = false
includeMetadataResolution = true
componentVersion = "2.0.0"
componentName = "my-component"
}
```
Based on requirements, `includeConfigs` and `skipConfigs` properties in `cyclonedxBom` can be modified to only include runtime, compile-time, or implementation dependencies in the sbom artifact(s). Additionaly, in a multi-build project, `skipProjects` property can be used to exclude dependency resolution for a sub-project, thus reducing the noise.
### SBOM Generation
Now, to generate sbom artifacts, do a clean build of the project using its respective build tool:
`gradle cleanBuild -b build.gradle :cyclonedxBom`
![sample gradle build](docs/static/img/sample-gradle-build.png)
After a successful build, all the artifacts shall be stored in `build/reports` path, present in the project root.
## Scan SBOMs using Vet
Vet supports scanning of SBOM files in both SPDX and CycloneDX format. Depending upon the plugin and build tool being used, appropriate parsers can be used to scan the artifacts for a vulnerability report.
```
vet scan --lockfiles build/reports/bom.json --lockfile-as bom-cyclonedx --report-markdown=report.md
vet scan --lockfiles build/reports/bom.json --lockfile-as bom-spdx --report-markdown=report.md
```
![vet cyclonedx scan demo](docs/static/img/vet-cyclonedx-scan-demo.png)

BIN
docs/static/img/sample-gradle-build.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
docs/static/img/vet-cyclonedx-scan-demo.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 112 KiB