In this guide, we look at generating a Software Bill of Materials (SBOM) for the Java/Maven ecosystem and underline the importance of Software Composition Analysis (SCA) in safeguarding the security and integrity of Java applications.


What is Maven and Java?

Maven is a build automation tool used primarily for Java projects. It is designed to manage a project’s build, reporting, and documentation from a central piece of information known as a Project Object Model (POM).


Understanding SBOMs and SCA

A Software Bill of Materials (SBOM) is a detailed catalog of all software components and dependencies in a project. Maintaining an accurate SBOM in the Java/Maven ecosystem is essential due to the dynamic nature of Maven libraries. SCA tools assist in identifying and managing vulnerabilities in these components, ensuring your applications remain secure.


Generating an SBOM for Java/Maven with Syft

Throughout our testing, Syft generated the most well-formed SBOM. As such, Syft is our chosen tool for generating SBOMs. Additionally, Syft offers compliance capabilities with SPDX/CycloneDX specifications and compatibility with Vigiles.

The Steps to Generating an SBOM with Syft:

1. If you do not already have Syft download, start by installing this tool:

`curl -sSfL | sh -s -- -b /usr/local/bin v1.3.0`

2. Once you have the tool installed, change the directory to your project/application directory.

3. With that step complete, we can install the dependencies:

`mvn install`

4. Optionally, if transitive dependencies are required, you can run the following step:

`mvn dependency:copy-dependencies`

5. Now let’s generate the SBOM by running the below command:

`syft scan dir:./ -o spdx-json=maven.json`


How do You Generate a Vulnerability Report with Vigiles?

Vigiles, a robust tool from Timesys, offers comprehensive SBOM management, vulnerability monitoring, and remediation. To view the SBOM generated by Syft and generate a vulnerability report with Vigiles, follow these steps:

  • Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`

Note: Remember, an active Vigiles Enterprise subscription is needed. If you’d like to try Vigiles Prime for free for 30-days, you can register to do so here.


Sample SBOM WebUI View

Within the Vigiles WebUI, you can see detailed SBOM component information, including the name, version, and license of each component.


Sample Vulnerability View

In the view below, all vulnerabilities tied to each package and the available fixes are displayed.


Vigiles retrieves data from multiple security advisories, such as NVD, OSV (GitHub Security Advisory), PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, and RConsortium Advisory.


Limitations of Maven/Java

At the present time, Syft lacks some elements specified in the NTIA minimum elements for an SBOM. The CycloneDX JSON format is missing the following fields:

  • Supplier
  • License information


An Accurate and Enhanced SBOM and Vulnerability Management Process

The combination of Syft and Vigiles delivers an effective solution for generating and managing SBOMs in the Java/Maven ecosystem. Syft’s excellence in creating detailed SBOMs is enhanced by Vigiles’ extensive vulnerability monitoring and remediation capabilities, keeping your software secure and compliant with industry standards.

Vigiles brings several advantages that make it a perfect partner to Syft:

  • Curated CVE Database: Achieve better accuracy in CVE reporting with a meticulously curated database.
  • Continuous Security Feed: Stay ahead of vulnerabilities with updates that align with your SBOMs.
  • Advanced Filtering & Triage Tools: Rapidly identify and prioritize vulnerabilities, simplifying the remediation process.
  • Compliance Support: Easily meet industry compliance requirements for cybersecurity documentation and SBOM management.
  • Integration & Collaboration: Integrate seamlessly with major Linux build systems and collaborate effectively through tools like Jira.

Level Up Your Software Security with Vigiles Today

Take advantage of the full benefits of SBOM and vulnerability management with Vigiles. Try Vigiles Prime free for 30 days and discover how it can simplify your vulnerability management process, protect your software, and accelerate compliance workflows. Contact us for a free evaluation of Vigiles Enterprise and start your journey towards more secure development.



Tools Evaluated