Vulnerability reference¶
Project exists in Dependency-Track, but I can't see the SBOM or vulnerabilities¶
This issue likely arises from using the GitHub dependency graph resolution output JSON as an input for byosbom. This JSON format is incompatible with Dependency-track. Please use the SBOM generated by the nais/docker-build-push action instead.
To fix this, remove the similar input from your workflow:
Known limitations and alternatives¶
Due to Trivy, you'll receive a simplified dependency graph, as Trivy doesn't support Gradle or Maven's dependency resolution.
Dependency-track integrates with Trivy at runtime, ensuring that vulnerabilities from the Docker container are still detected.
Trivy directly parses the .jar files without access to full dependency resolution details.
Gradle and Maven plugins provide a deeper graph of nested transitive dependencies.
Gradle Plugin¶
Gradle
Add the following plugin to your build.gradle* file.
In your workflow you can generate a SBOM with the following gradle task command:
The SBOM will be default located at build/reports/bom.json. Pass the SBOM to the nais/docker-build-push action with the following input:
For nais/attest-sign action:
```yaml
uses: nais/attest-sign@v1
with:
sbom: build/reports/bom.json
```
For more info about settings check out the CycloneDx Gradle Plugin
Maven Plugin¶
Maven
Add the following to your pom.xml file.
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
In your workflow you can generate a SBOM with the following maven command:
The SBOM will be default located at target/bom.json. Pass the SBOM to the nais/docker-build-push action with the following input:
For nais/attest-sign action:
```yaml
uses: nais/attest-sign@v1
with:
sbom: target/bom.json
```
For more info about settings check out the CycloneDx Maven Plugin