Article
In the era of software supply chain security, knowing your application's dependencies is no longer optional—it's a critical requirement. Trivy, the versatile open-source security scanner, has evolved beyond vulnerability detection to become a powerful tool for Software Bill of Materials (SBOM) generation and analysis. For Java teams, Trivy offers a straightforward way to create, analyze, and monitor SBOMs throughout the application lifecycle.
What is Trivy SBOM Scanning?
Trivy's SBOM capabilities allow you to:
- Generate SBOMs in standard formats (SPDX, CycloneDX) from various artifacts
- Scan existing SBOMs for vulnerabilities and license issues
- Analyze dependencies across different levels: filesystems, container images, and repositories
- Integrate SBOM generation into CI/CD pipelines for continuous monitoring
For Java applications, this means comprehensive visibility into your Maven or Gradle dependencies, including transitive dependencies that often hide security risks.
Why SBOM Generation is Critical for Java Applications
Java's extensive use of open-source libraries makes SBOM generation essential:
- Transitive Dependency Management: A typical Spring Boot application can pull in 100+ transitive dependencies—SBOMs make them visible.
- Vulnerability Impact Analysis: When a new CVE emerges, an SBOM lets you instantly determine if you're affected.
- License Compliance: Track licenses across all dependencies to avoid legal issues.
- Audit and Compliance: Meet regulatory requirements like Executive Order 14028, FDA guidelines, and cybersecurity frameworks.
Installing and Setting Up Trivy
Quick Installation Options:
# Using curl curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin # On macOS with Homebrew brew install trivy # Using Docker docker pull aquasec/trivy:latest
Verify Installation:
trivy --version
Generating SBOMs for Java Projects
1. Generating SBOM from a Java Project Directory
Trivy can scan your project directory and generate an SBOM from your build files:
# Generate SPDX format SBOM trivy fs --format spdx-json --output sbom.spdx.json /path/to/java/project # Generate CycloneDX format SBOM trivy fs --format cyclonedx --output sbom.cyclonedx.json /path/to/java/project # For a Maven project trivy fs --format cyclonedx --output sbom.xml ./my-spring-boot-app/ # For a Gradle project trivy fs --format spdx-json --output sbom.json ./my-gradle-app/
2. Generating SBOM from Built Artifacts
Scan JAR, WAR, or container images to see the actual packaged dependencies:
# Scan a JAR file trivy fs --format cyclonedx my-app/target/my-app-1.0.0.jar # Scan a Docker image containing your Java app trivy image --format cyclonedx my-registry.com/my-java-app:latest # Scan a directory containing multiple JARs trivy fs --format spdx-json ./target/dependency/
Understanding Trivy SBOM Output for Java
Sample CycloneDX Output:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:12345678-1234-1234-1234-123456789012",
"version": 1,
"metadata": {
"timestamp": "2023-10-27T10:00:00Z",
"component": {
"type": "application",
"bom-ref": "pkg:maven/com.mycompany/[email protected]",
"name": "my-spring-app",
"version": "1.0.0"
}
},
"components": [
{
"type": "library",
"bom-ref": "pkg:maven/org.springframework.boot/[email protected]",
"name": "spring-boot-starter-web",
"version": "2.7.0",
"purl": "pkg:maven/org.springframework.boot/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "/home/project/pom.xml"
}
]
},
{
"type": "library",
"bom-ref": "pkg:maven/org.springframework/[email protected]",
"name": "spring-web",
"version": "5.3.20",
"purl": "pkg:maven/org.springframework/[email protected]"
},
{
"type": "library",
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"name": "jackson-databind",
"version": "2.13.3",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
}
]
}
Scanning SBOMs for Vulnerabilities
Once you have an SBOM, you can scan it for vulnerabilities:
1. Scan Generated SBOM Files:
# Scan an SBOM file for vulnerabilities trivy sbom sbom.cyclonedx.json # Scan with specific output format trivy sbom --format table sbom.spdx.json # Scan and output results to file trivy sbom --output vulnerabilities.txt sbom.cyclonedx.json # Scan with severity filter trivy sbom --severity HIGH,CRITICAL sbom.json
2. Combined SBOM Generation and Scanning:
# Generate SBOM and scan in one command trivy fs --format cyclonedx --scan /path/to/java/project # For container images trivy image --format cyclonedx --scan my-java-app:latest
Integrating Trivy SBOM Scanning into Java CI/CD
1. GitHub Actions Workflow:
name: SBOM Generation and Security Scan on: push: branches: [ main ] pull_request: branches: [ main ] jobs: sbom-scan: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 - name: Set up JDK 17 uses: actions/setup-java@v3 with: java-version: '17' distribution: 'temurin' - name: Build application run: mvn clean compile -DskipTests - name: Run Trivy SBOM scan uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' format: 'cyclonedx' output: 'sbom.cyclonedx.json' severity: 'HIGH,CRITICAL' - name: Upload SBOM artifact uses: actions/upload-artifact@v3 with: name: sbom path: sbom.cyclonedx.json - name: Scan SBOM for vulnerabilities run: | trivy sbom --exit-code 1 --severity HIGH,CRITICAL sbom.cyclonedx.json
2. GitLab CI Pipeline:
stages: - build - sbom - security generate-sbom: stage: sbom image: name: aquasec/trivy:latest entrypoint: [""] before_script: - apk add --no-cache maven openjdk17 script: - mvn clean compile -DskipTests - trivy fs --format cyclonedx --output sbom.cyclonedx.json . artifacts: paths: - sbom.cyclonedx.json expire_in: 1 week scan-sbom: stage: security image: aquasec/trivy:latest dependencies: - generate-sbom script: - trivy sbom --exit-code 1 --severity HIGH,CRITICAL sbom.cyclonedx.json
Advanced Trivy SBOM Configuration
1. Custom SBOM Configuration:
Create a .trivyignore file to exclude false positives or accepted risks:
# .trivyignore # Accept risk for specific vulnerability in a specific version CVE-2021-44228 in log4j-core 2.14.1 # Ignore vulnerability in all versions of a component CVE-2022-12345 in jackson-databind # Ignore by vulnerability type UNKNOWN in *
2. Using Trivy Configuration File:
# .trivy.yaml db: repository: aquasecurity/trivy-db skip-update: false sbom: formats: - cyclonedx - spdx-json output: ./reports/ severity: - HIGH - CRITICAL ignore-policies: - .trivyignore
3. Scanning with Policy Enforcement:
# Fail build on critical vulnerabilities trivy sbom --exit-code 1 --severity CRITICAL sbom.cyclonedx.json # Only report vulnerabilities with fixes available trivy sbom --ignore-unfixed sbom.json # Include vulnerability descriptions trivy sbom --format json --output trivy-results.json sbom.cyclonedx.json
Java-Specific SBOM Scenarios
1. Multi-Module Maven Projects:
# Scan entire multi-module project trivy fs --format cyclonedx ./parent-project/ # Scan specific module trivy fs --format cyclonedx ./parent-project/core-module/
2. Scanning Dependency JARs:
# Copy dependencies to a directory and scan mvn dependency:copy-dependencies -DoutputDirectory=target/dependency trivy fs --format cyclonedx ./target/dependency/
3. Containerized Java Applications:
# Build the image docker build -t my-java-app:latest . # Generate SBOM from container image trivy image --format cyclonedx --output java-app-sbom.json my-java-app:latest # Scan the generated SBOM trivy sbom java-app-sbom.json
Best Practices for Java SBOM Management
- Generate SBOMs at Build Time: Create SBOMs during CI/CD builds for accurate dependency capture.
- Store SBOMs with Artifacts: Attach SBOMs to release artifacts and container images.
- Scan SBOMs Regularly: Implement continuous scanning of SBOMs as new vulnerabilities are discovered.
- Use Standard Formats: Prefer CycloneDX or SPDX for better tool compatibility.
- Version Your SBOMs: Treat SBOMs as build artifacts and version them appropriately.
- Integrate with Dependency Management: Use SBOM findings to update
pom.xmlorbuild.gradlefiles.
Sample CI/CD Pipeline with Quality Gates
name: Java SBOM Security Pipeline on: push: branches: [main] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Setup Java and Build uses: actions/setup-java@v3 with: java-version: '17' distribution: 'temurin' - run: mvn clean package -DskipTests - name: Generate SBOM run: | trivy fs --format cyclonedx --output sbom.cyclonedx.json . - name: Security Gate - Critical Vulnerabilities run: | echo "Checking for CRITICAL vulnerabilities..." trivy sbom --exit-code 1 --severity CRITICAL sbom.cyclonedx.json - name: Security Gate - High Vulnerabilities (Report Only) run: | echo "Reporting HIGH vulnerabilities..." trivy sbom --severity HIGH sbom.cyclonedx.json || true
Conclusion
Trivy's SBOM capabilities provide Java development teams with a comprehensive solution for software supply chain security. By generating standardized SBOMs and scanning them for vulnerabilities, teams can maintain continuous visibility into their dependency landscape, respond quickly to new threats, and meet compliance requirements.
The integration of Trivy SBOM scanning into Java CI/CD pipelines creates a robust security posture that identifies risks early in the development process. For organizations serious about software supply chain security, Trivy offers an open-source, enterprise-ready solution that scales from single applications to complex microservices architectures, ensuring that Java applications remain secure from dependency-related threats throughout their lifecycle.
Advanced Java Supply Chain Security, Kubernetes Hardening & Runtime Threat Detection
Sigstore Rekor in Java – https://macronepal.com/blog/sigstore-rekor-in-java/
Explains integrating Sigstore Rekor into Java systems to create a transparent, tamper-proof log of software signatures and metadata for verifying supply chain integrity.
Securing Java Applications with Chainguard Wolfi – https://macronepal.com/blog/securing-java-applications-with-chainguard-wolfi-a-comprehensive-guide/
Explains using Chainguard Wolfi minimal container images to reduce vulnerabilities and secure Java applications with hardened, lightweight runtime environments.
Cosign Image Signing in Java Complete Guide – https://macronepal.com/blog/cosign-image-signing-in-java-complete-guide/
Explains how to digitally sign container images using Cosign in Java-based workflows to ensure authenticity and prevent unauthorized modifications.
Secure Supply Chain Enforcement Kyverno Image Verification for Java Containers – https://macronepal.com/blog/secure-supply-chain-enforcement-kyverno-image-verification-for-java-containers/
Explains enforcing Kubernetes policies with Kyverno to verify container image signatures and ensure only trusted Java container images are deployed.
Pod Security Admission in Java Securing Kubernetes Deployments for JVM Applications – https://macronepal.com/blog/pod-security-admission-in-java-securing-kubernetes-deployments-for-jvm-applications/
Explains Kubernetes Pod Security Admission policies that enforce security rules like restricted privileges and safe configurations for Java workloads.
Securing Java Applications at Runtime Kubernetes Security Context – https://macronepal.com/blog/securing-java-applications-at-runtime-a-guide-to-kubernetes-security-context/
Explains how Kubernetes security contexts control runtime permissions, user IDs, and access rights for Java containers to improve isolation.
Process Anomaly Detection in Java Behavioral Monitoring – https://macronepal.com/blog/process-anomaly-detection-in-java-comprehensive-behavioral-monitoring-2/
Explains detecting abnormal runtime behavior in Java applications to identify potential security threats using process monitoring techniques.
Achieving Security Excellence CIS Benchmark Compliance for Java Applications – https://macronepal.com/blog/achieving-security-excellence-implementing-cis-benchmark-compliance-for-java-applications/
Explains applying CIS security benchmarks to Java environments to standardize hardening and improve overall system security posture.
Process Anomaly Detection in Java Behavioral Monitoring – https://macronepal.com/blog/process-anomaly-detection-in-java-comprehensive-behavioral-monitoring/
Explains behavioral monitoring of Java processes to detect anomalies and improve runtime security through continuous observation and analysis.
JAVA CODE COMPILER