CycloneDX SBom(소프트웨어 재료 명세서) Maven 데모

cyclonedx-maven-데모



CycloneDX SBom(소프트웨어 BOM) Maven 데모

오늘날 소프트웨어 공급망을 확보하는 것은 소프트웨어 개발 및 제공 생태계에서 매우 중요한 측면입니다.

CycloneDXOWASP에서 지원하는 소프트웨어 BOM 형식입니다.

CycloneDX는 Maven pom.xml 파일에 추가된 모든 직접 및 전이 종속성을 나타내는 매우 가벼운 SBOM입니다.

CycloneDX는 다양한 프로그래밍 언어 프로젝트에서 SBOM을 생성하는 다양한 도구 세트를 제공합니다. 즉. Java, Python, Node 등 Ref. CycloneDX Tools ecosystem

이 샘플 프로젝트는 아티팩트 생성을 위해 Maven 빌드 시스템을 사용하고 있습니다. cyclonedx-maven-plugin은 CycloneDX SBom 파일 생성에 사용됩니다.

CycloneDX SBOM 파일은 OWASPDependency Track ]( https://dependencytrack.org/ ) 애플리케이션을 사용하여 프로젝트 취약성 분석에 사용할 수 있습니다.

샘플 cyclonedx-maven-plugin 구성.

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.7.0</version>
    <configuration>
        <projectType>library</projectType>
        <schemaVersion>1.3</schemaVersion>
        <includeBomSerialNumber>true</includeBomSerialNumber>
        <includeCompileScope>true</includeCompileScope>
        <includeProvidedScope>true</includeProvidedScope>
        <includeRuntimeScope>true</includeRuntimeScope>
        <includeSystemScope>true</includeSystemScope>
        <includeTestScope>false</includeTestScope>
        <includeLicenseText>false</includeLicenseText>
        <outputFormat>all</outputFormat>
    </configuration>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
</plugin>


Maven 빌드 명령을 실행하면 이름이 bom.json 및 bom.xml인 대상 폴더에 SBOM 파일이 생성됩니다.

mvn clean install


Maven 빌드 출력

[INFO] --- cyclonedx-maven-plugin:2.7.0:makeAggregateBom (default) @ cyclonedx-maven-demo ---
[INFO] CycloneDX: Parameters
[INFO] ------------------------------------------------------------------------
[INFO] schemaVersion          : 1.3
[INFO] includeBomSerialNumber : true
[INFO] includeCompileScope    : true
[INFO] includeProvidedScope   : true
[INFO] includeRuntimeScope    : true
[INFO] includeTestScope       : false
[INFO] includeSystemScope     : true
[INFO] includeLicenseText     : false
[INFO] outputReactorProjects  : true
[INFO] outputFormat           : all
[INFO] outputName             : bom
[INFO] ------------------------------------------------------------------------
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /home/ravi.soni/git/maven/cyclonedx-maven-demo/target/bom.json


대상 폴더에서 CycloneDX SBOM 파일 확인

[ravi.soni@GB8TRF2 cyclonedx-maven-demo] $ ls -l target/
total 17380
-rw-rw-r-- 1 ravi.soni ravi.soni    81647 Jul 14 16:05 bom.json
-rw-rw-r-- 1 ravi.soni ravi.soni    69804 Jul 14 16:05 bom.xml
drwxrwxr-x 3 ravi.soni ravi.soni     4096 Jul 14 16:05 classes
-rw-rw-r-- 1 ravi.soni ravi.soni 17619933 Jul 14 16:05 cyclonedx-maven-demo-0.0.1-SNAPSHOT.jar
-rw-rw-r-- 1 ravi.soni ravi.soni     3247 Jul 14 16:05 cyclonedx-maven-demo-0.0.1-SNAPSHOT.jar.original
drwxrwxr-x 3 ravi.soni ravi.soni     4096 Jul 14 16:05 generated-sources
drwxrwxr-x 2 ravi.soni ravi.soni     4096 Jul 14 16:05 maven-archiver
drwxrwxr-x 3 ravi.soni ravi.soni     4096 Jul 14 16:05 maven-status


프로젝트의 모든 종속성(직접 및 전이)을 확인하는 가장 좋은 방법은 Maven 명령을 실행하고 콘솔에서 인쇄하는 것입니다.

mvn dependency:tree


프로젝트의 종속성 트리를 출력합니다.

[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ cyclonedx-maven-demo ---
[INFO] com.rvsoni.maven:cyclonedx-maven-demo:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.7.1:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.1:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.7.1:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.1:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.64:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.64:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.64:compile
[INFO] |  +- org.springframework:spring-web:jar:5.3.21:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.3.21:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.3.21:compile
[INFO] |     +- org.springframework:spring-aop:jar:5.3.21:compile
[INFO] |     +- org.springframework:spring-context:jar:5.3.21:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.3.21:compile
[INFO] \- org.springframework.boot:spring-boot-starter-test:jar:2.7.1:test
[INFO]    +- org.springframework.boot:spring-boot-test:jar:2.7.1:test
[INFO]    +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.1:test
[INFO]    +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO]    |  +- net.minidev:json-smart:jar:2.4.8:test
[INFO]    |  |  \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO]    |  |     \- org.ow2.asm:asm:jar:9.1:test
[INFO]    |  \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO]    +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO]    |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO]    +- org.assertj:assertj-core:jar:3.22.0:test
[INFO]    +- org.hamcrest:hamcrest:jar:2.2:test
[INFO]    +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO]    |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO]    |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO]    |  |  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO]    |  |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO]    |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO]    |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO]    |     \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO]    +- org.mockito:mockito-core:jar:4.5.1:test
[INFO]    |  +- net.bytebuddy:byte-buddy:jar:1.12.11:test
[INFO]    |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.11:test
[INFO]    |  \- org.objenesis:objenesis:jar:3.2:test
[INFO]    +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO]    +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO]    |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO]    +- org.springframework:spring-core:jar:5.3.21:compile
[INFO]    |  \- org.springframework:spring-jcl:jar:5.3.21:compile
[INFO]    +- org.springframework:spring-test:jar:5.3.21:test
[INFO]    \- org.xmlunit:xmlunit-core:jar:2.9.0:test


프로젝트가 빌드되면 jq 명령을 실행하여 bom.json 파일에서 동일한 종속성 정보를 인쇄합니다.
jq '.components[]| "\(.group)/\(.name)@\(.version)" ' target/bom.json
산출

[ravi.soni@GB8TRF2 cyclonedx-maven-demo] $ jq '.components[]| "\(.group)/\(.name)@\(.version)" ' target/bom.json 
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"org.springframework.boot/[email protected]"
"ch.qos.logback/[email protected]"
"ch.qos.logback/[email protected]"
"org.apache.logging.log4j/[email protected]"
"org.apache.logging.log4j/[email protected]"
"org.slf4j/[email protected]"
"jakarta.annotation/[email protected]"
"org.yaml/[email protected]"
"org.springframework.boot/[email protected]"
"com.fasterxml.jackson.core/[email protected]"
"com.fasterxml.jackson.core/[email protected]"
"com.fasterxml.jackson.core/[email protected]"
"com.fasterxml.jackson.datatype/[email protected]"
"com.fasterxml.jackson.datatype/[email protected]"
"com.fasterxml.jackson.module/[email protected]"
"org.springframework.boot/[email protected]"
"org.apache.tomcat.embed/[email protected]"
"org.apache.tomcat.embed/[email protected]"
"org.apache.tomcat.embed/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"
"org.slf4j/[email protected]"
"org.springframework/[email protected]"
"org.springframework/[email protected]"


코드: https://github.com/rvsoni/cyclonedx-maven-demo

좋은 웹페이지 즐겨찾기