Article
In the wake of software supply chain attacks and new regulatory requirements, understanding exactly what is in your application has never been more critical. For Java applications, which often comprise hundreds of transitive dependencies, this is a daunting task. This is where a Software Bill of Materials (SBOM) and a tool like Syft come into play. Syft is a powerful, open-source CLI tool that generates accurate SBOMs from your Java artifacts, giving you a complete inventory of your software components.
What is Syft and Why Do Java Developers Need It?
Syft is a command-line tool from Anchore that statically analyzes container images, file systems, and archives to generate a detailed SBOM. It supports a wide array of formats, and crucially for the Java ecosystem, it excels at parsing:
- Packaged Archives:
.jar,.war, and.earfiles - Build Artifacts: Directly from a
target/directory - Container Images: That contain your Java application
An SBOM is a formal, machine-readable inventory of all components and libraries in your software. For Java developers, Syft answers the fundamental question: "What open-source libraries are actually in my application, including the ones I didn't directly declare?"
Why SBOM Generation is Essential for Modern Java Development
- Transitive Dependency Clarity: Your
pom.xmlorbuild.gradleonly lists your direct dependencies. Syft reveals the full tree of transitive dependencies (the dependencies of your dependencies), which is where most hidden vulnerabilities lurk. - Supply Chain Security: When a new vulnerability like Log4Shell is disclosed, you need to know instantly if you are affected. An SBOM acts as a "list of ingredients," allowing you to rapidly search for vulnerable components across all your applications.
- License Compliance: An SBOM lists the licenses of all components, helping your legal and compliance teams avoid risks associated with license violations.
- DevSecOps Enablement: SBOMs are the foundational data source for modern security tools. You can feed an SBOM generated by Syft into a vulnerability scanner (like Grype, its sister project) or a policy engine to automate security checks.
How to Generate an SBOM for a Java Project with Syft
Using Syft is straightforward. Once you have installed Syft, you can point it at any Java artifact.
Scenario 1: Scanning a Packaged JAR/WAR File
This is the most common method. After building your project (e.g., with mvn package), you simply run Syft against the resulting artifact.
# Scan a Spring Boot JAR syft my-spring-boot-app/target/my-app-0.0.1.jar # Scan a packaged WAR file syft my-webapp/target/my-webapp.war # Output in a specific format (JSON is the default) syft my-app.jar -o json syft my-app.jar -o spdx-json syft my-app.jar -o cyclonedx-json
Scenario 2: Scanning a Directory (e.g., during a CI build)
You can also scan an entire directory, which is useful in CI pipelines before the final artifact is packaged.
# Scan the entire target/ directory, which includes dependencies syft dir:/path/to/my/java-project/target/
Scenario 3: Scanning a Container Image containing your Java App
If your Java application is already containerized, Syft can scan the image directly.
# Scan a Docker image built from your Java app syft my-registry.com/my-team/my-java-app:latest
Understanding the Output: A Java Example
The power of Syft is in its detailed output. Here’s a simplified example of what it finds in a typical Spring Boot JAR.
Command:
syft my-app.jar -o cyclonedx-json
Sample Output Snippet:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"components": [
{
"type": "library",
"bom-ref": "pkg:maven/org.springframework.boot/[email protected]",
"name": "spring-boot-starter-web",
"version": "2.7.0",
"purl": "pkg:maven/org.springframework.boot/[email protected]"
},
{
"type": "library",
"bom-ref": "pkg:maven/org.springframework/[email protected]",
"name": "spring-web",
"version": "5.3.20",
"purl": "pkg:maven/org.springframework/[email protected]"
},
{
"type": "library",
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"name": "jackson-databind",
"version": "2.13.3",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
},
{
"type": "library",
"bom-ref": "pkg:maven/org.apache.logging.log4j/[email protected]",
"name": "log4j-core",
"version": "2.17.2",
"purl": "pkg:maven/org.apache.logging.log4j/[email protected]"
}
]
}
Notice that Syft has identified not just the direct dependency spring-boot-starter-web, but also its transitive dependencies like spring-web, jackson-databind, and log4j-core. Each component is identified using a package URL (purl), a standard identifier that precisely describes the package name, ecosystem (Maven), and version.
Integrating Syft into Your Java CI/CD Pipeline
To make SBOM generation a natural part of your process, integrate Syft into your CI/CD pipeline.
Example GitHub Action Workflow:
name: Build and Generate SBOM on: [push] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Set up JDK 17 uses: actions/setup-java@v3 with: java-version: '17' distribution: 'temurin' - name: Build with Maven run: mvn -B package --file pom.xml - name: Generate SBOM with Syft run: | curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin syft target/my-app-*.jar -o cyclonedx-json > sbom.json - name: Upload SBOM uses: actions/upload-artifact@v3 with: name: sbom path: sbom.json
Best Practices for Java SBOMs with Syft
- Scan the Final Artifact: Always scan the JAR/WAR file that you intend to deploy, as this reflects the exact dependencies that were packaged.
- Use Standard Formats: Prefer standard formats like CycloneDX or SPDX for interoperability with other security tools.
- Generate SBOMs Automatically: Integrate Syft into your CI pipeline so an SBOM is created with every build, ensuring it's always up-to-date.
- Store and Distribute SBOMs: Attach the SBOM to your release artifacts and container images. This practice is becoming a requirement for many regulatory frameworks and customers.
- Chain with Grype for Scanning: Use the generated SBOM with Grype, Anchore's vulnerability scanner, to immediately check for known vulnerabilities:
grype sbom:sbom.json.
Conclusion
For Java developers, Syft is a simple yet transformative tool that brings clarity and security to the complex world of open-source dependencies. By automatically generating a comprehensive SBOM, you move from uncertainty to a precise, actionable understanding of your application's makeup. This is no longer just a best practice—it is a fundamental requirement for building secure, compliant, and trustworthy software in today's interconnected ecosystem.
Secure Java Dependency Management, Vulnerability Scanning & Software Supply Chain Protection (SBOM, SCA, CI Security & License Compliance)
https://macronepal.com/blog/github-code-scanning-in-java-complete-guide/
Explains GitHub Code Scanning for Java using tools like CodeQL to automatically analyze source code and detect security vulnerabilities directly inside CI/CD pipelines before deployment.
https://macronepal.com/blog/license-compliance-in-java-comprehensive-guide/
Explains software license compliance in Java projects, ensuring dependencies follow legal requirements (MIT, Apache, GPL, etc.) and preventing license violations in enterprise software.
https://macronepal.com/blog/container-security-for-java-uncovering-vulnerabilities-with-grype/
Explains using Grype to scan Java container images and filesystems for known CVEs in OS packages and application dependencies to improve container security.
https://macronepal.com/blog/syft-sbom-generation-in-java-comprehensive-software-bill-of-materials-for-jvm-applications/
Explains using Syft to generate SBOMs (Software Bill of Materials) for Java applications, listing all dependencies, libraries, and components for supply chain transparency.
https://macronepal.com/blog/comprehensive-dependency-analysis-generating-and-scanning-sboms-with-trivy-for-java/
Explains using Trivy to generate SBOMs and scan Java dependencies and container images for vulnerabilities, integrating security checks into CI/CD pipelines.
https://macronepal.com/blog/dependabot-for-java-in-java/
Explains GitHub Dependabot for Java projects, which automatically detects vulnerable dependencies and creates pull requests to update them securely.
https://macronepal.com/blog/parasoft-jtest-in-java-comprehensive-guide-to-code-analysis-and-testing/
Explains Parasoft Jtest, a static analysis and testing tool for Java that helps detect bugs, security issues, and code quality problems early in development.
https://macronepal.com/blog/snyk-open-source-in-java-comprehensive-dependency-vulnerability-management-2/
Explains Snyk Open Source for Java, which continuously scans dependencies for vulnerabilities and provides automated fix suggestions and monitoring.
https://macronepal.com/blog/owasp-dependency-check-in-java-complete-vulnerability-scanning-guide/
Explains OWASP Dependency-Check, which scans Java dependencies against the National Vulnerability Database (NVD) to detect known security vulnerabilities.
https://macronepal.com/blog/securing-your-dependencies-a-java-developers-guide-to-whitesource-mend-bolt/
Explains Mend (WhiteSource) Bolt for Java, a dependency management and SCA tool that provides vulnerability detection, license compliance, and security policy enforcement in enterprise environments.