Syft SBOM Generation in Java: Comprehensive Software Bill of Materials for JVM Applications

In today's complex software supply chain, understanding exactly what dependencies and components comprise your Java application is crucial for security, compliance, and maintenance. Syft is a powerful open-source tool that generates Software Bill of Materials (SBOM) by scanning container images, file systems, and archives. For Java teams, Syft provides deep visibility into both OS-level packages and JVM-specific dependencies, creating a complete inventory of everything in your software artifacts.

Table of Contents

What is Syft?

Syft is a CLI tool and library from Anchore that generates SBOMs from various software artifacts. It automatically discovers packages, libraries, and dependencies across multiple ecosystems, including Java Maven and Gradle dependencies. Syft supports standard SBOM formats like SPDX and CycloneDX, making it essential for supply chain security, vulnerability management, and compliance reporting.

Why SBOM Generation is Critical for Java Applications

Supply Chain Security: Identify vulnerable dependencies quickly when new CVEs are disclosed (like Log4Shell).
License Compliance: Track open-source licenses across all dependencies to avoid legal issues.
Dependency Audit: Understand the complete dependency graph, including transitive dependencies.
Regulatory Requirements: Meet emerging software supply chain security mandates (EO 14028, SLSA).
Incident Response: Quickly determine if your application is affected by newly discovered vulnerabilities.

Syft Capabilities for Java Ecosystems

Syft provides comprehensive Java support through multiple catalogers:

Maven Dependencies: Parses pom.xml and Maven dependency trees
Gradle Dependencies: Analyzes build.gradle, build.gradle.kts, and dependency locks
JAR/WAR/EAR Analysis: Examines packaged archives for embedded dependencies
Jenkins Plugins: Catalog Jenkins plugin dependencies
OS Packages: Simultaneously scans for system packages in container images

Generating SBOMs for Java Applications

1. Basic Syft Usage for Java Projects

# Scan a directory containing Java application
syft dir:/path/to/your/java-project
# Scan a built JAR file
syft file:target/my-app-1.0.0.jar
# Scan a Docker image containing Java application
syft docker:mycompany/my-java-app:latest
# Generate specific SBOM format
syft dir:. -o spdx-json
syft dir:. -o cyclonedx-json

2. Maven Project SBOM Generation

# Generate SBOM from Maven project directory
syft dir:. --scope all-layers
# Output example for analysis
{
"artifacts": [
{
"id": "org.springframework.boot:[email protected]",
"name": "spring-boot-starter-web",
"version": "2.7.0",
"type": "java-archive",
"locations": [
{
"path": "pom.xml"
}
],
"language": "java",
"licenses": ["Apache-2.0"],
"purl": "pkg:maven/org.springframework.boot/[email protected]",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/home/project/pom.xml"
}
}
]
}

3. Integration with Java Build Process

Maven Integration:

<!-- pom.xml - Ensure proper metadata for SBOM generation -->
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>my-java-app</artifactId>
<version>1.0.0</version>
<name>My Java Application</name>
<description>Spring Boot application with SBOM generation</description>
<licenses>
<license>
<name>Apache License 2.0</name>
<url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
</license>
</licenses>
<properties>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
</properties>
</project>

Gradle Integration:

// build.gradle.kts - Configure for better SBOM accuracy
plugins {
java
`maven-publish`
}
group = "com.example"
version = "1.0.0"
description = "My Java Application with SBOM support"
java {
sourceCompatibility = JavaVersion.VERSION_11
targetCompatibility = JavaVersion.VERSION_11
}

Advanced Syft Configuration for Java

1. Custom Syft Configuration File

# syft-config.yaml
package:
catalogers:
- all-java  # Enable all Java catalogers
- all-dpkg  # Enable OS package cataloging
output:
template: |
{{ range .Artifacts -}}
{{ .Name }}:{{ .Version }} | {{ .Type }} | {{ .PURL }}
{{ end -}}
log:
level: warn
structured: true

2. Java-Specific Scanning Options

# Focus only on Java dependencies
syft dir:. --catalogers java
# Include Jenkins plugins
syft dir:. --catalogers java,jenkins-plugin
# Generate attestation
syft dir:. --output spdx-json --file sbom.spdx.json

Integrating Syft into Java CI/CD Pipelines

1. GitHub Actions Workflow

name: Generate SBOM
on:
push:
branches: [ main ]
release:
types: [ published ]
jobs:
generate-sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Java application
run: mvn clean package -DskipTests
- name: Generate SBOM with Syft
run: |
docker run --rm \
-v $(pwd):/src \
-v /var/run/docker.sock:/var/run/docker.sock \
anchore/syft:latest \
dir:/src -o cyclonedx-json > sbom.cyclonedx.json
- name: Upload SBOM
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.cyclonedx.json

2. Jenkins Pipeline Integration

pipeline {
agent any
stages {
stage('Build') {
steps {
sh 'mvn clean package -DskipTests'
}
}
stage('Generate SBOM') {
steps {
script {
// Install Syft
sh 'curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin'
// Generate SBOM
sh 'syft dir:. -o cyclonedx-json > sbom.cyclonedx.json'
// Archive SBOM
archiveArtifacts artifacts: 'sbom.cyclonedx.json', fingerprint: true
}
}
}
}
}

3. Maven Plugin Alternative

<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.7.4</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
<configuration>
<projectType>library</projectType>
<schemaVersion>1.4</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>true</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>true</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeLicenseText>false</includeLicenseText>
<outputReactorProjects>true</outputReactorProjects>
<outputFormat>json</outputFormat>
</configuration>
</plugin>

Real-World Java SBOM Scenarios

Scenario 1: Multi-Module Maven Project

# Complex project structure
project/
├── pom.xml
├── api/
│   └── pom.xml
├── service/
│   └── pom.xml
└── web/
└── pom.xml
# Generate comprehensive SBOM
syft dir:project --catalogers all-java -o cyclonedx-json > sbom.json

Scenario 2: Containerized Spring Boot Application

FROM eclipse-temurin:17-jre
COPY target/my-app.jar /app/app.jar
COPY dependencies/ /app/libs/
# Build and scan
docker build -t my-java-app .
syft docker:my-java-app -o spdx-json

Scenario 3: Vulnerability Response

# When new CVE is announced, check your SBOM
syft dir:. -o json | jq '.artifacts[] | select(.name | contains("log4j"))'
# Output identifying vulnerable components
{
"name": "log4j-core",
"version": "2.14.1",
"purl": "pkg:maven/org.apache.logging.log4j/[email protected]"
}

SBOM Analysis and Consumption

1. Parse and Analyze SBOM with Java

@Component
public class SBOMParser {
public List<Dependency> parseSBOM(File sbomFile) throws IOException {
ObjectMapper mapper = new ObjectMapper();
JsonNode root = mapper.readTree(sbomFile);
List<Dependency> dependencies = new ArrayList<>();
JsonNode components = root.path("components");
for (JsonNode component : components) {
Dependency dep = new Dependency(
component.path("name").asText(),
component.path("version").asText(),
component.path("purl").asText(),
component.path("type").asText()
);
dependencies.add(dep);
}
return dependencies;
}
public boolean hasVulnerableDependency(List<Dependency> deps, 
String packageName, 
String versionPattern) {
return deps.stream()
.anyMatch(dep -> 
dep.name().contains(packageName) && 
dep.version().matches(versionPattern));
}
}

2. SBOM Diffing Between Versions

# Compare SBOMs to see dependency changes
syft dir:./v1.0 -o json > sbom-v1.0.json
syft dir:./v1.1 -o json > sbom-v1.1.json
# Use jq to diff
diff <(jq -r '.artifacts[].purl' sbom-v1.0.json | sort) \
<(jq -r '.artifacts[].purl' sbom-v1.1.json | sort)

Best Practices for Java SBOM Generation

Scan Built Artifacts: Generate SBOMs from final built artifacts (JARs, containers) rather than source code.
Include All Environments: Generate separate SBOMs for development, testing, and production builds.
Version Control SBOMs: Store SBOMs alongside your application releases.
Automate Generation: Integrate SBOM generation into your CI/CD pipeline.
Validate SBOMs: Use tools like bomber or syft validate to check SBOM quality.

Example Validation:

# Validate SBOM format
syft validate sbom.cyclonedx.json
# Check for vulnerabilities in SBOM
bomber scan sbom.cyclonedx.json

Integration with Java Security Tools

Grype Integration: Use Syft-generated SBOMs with Grype for vulnerability scanning
Dependency-Track: Upload SBOMs to Dependency-Track for continuous monitoring
Jenkins Plugins: Use Syft with Jenkins for automated compliance checking
GitHub Advanced Security: Upload SBOMs to GitHub for dependency insights

Conclusion

Syft provides Java development teams with a powerful, flexible tool for generating comprehensive Software Bill of Materials that capture both JVM dependencies and system-level packages. By integrating Syft into your Java development lifecycle, you gain crucial visibility into your software supply chain, enabling faster vulnerability response, better license compliance, and stronger security posture.

Whether you're building traditional JAR applications, complex microservices architectures, or containerized cloud-native applications, Syft's deep Java ecosystem support ensures you have accurate, actionable dependency information. As software supply chain security becomes increasingly regulated and critical, establishing robust SBOM practices with tools like Syft transitions from being a best practice to an essential requirement for modern Java development.

Advanced Java Supply Chain Security, Kubernetes Hardening & Runtime Threat Detection

Sigstore Rekor in Java – https://macronepal.com/blog/sigstore-rekor-in-java/
Explains integrating Sigstore Rekor into Java systems to create a transparent, tamper-proof log of software signatures and metadata for verifying supply chain integrity.

Securing Java Applications with Chainguard Wolfi – https://macronepal.com/blog/securing-java-applications-with-chainguard-wolfi-a-comprehensive-guide/
Explains using Chainguard Wolfi minimal container images to reduce vulnerabilities and secure Java applications with hardened, lightweight runtime environments.

Cosign Image Signing in Java Complete Guide – https://macronepal.com/blog/cosign-image-signing-in-java-complete-guide/
Explains how to digitally sign container images using Cosign in Java-based workflows to ensure authenticity and prevent unauthorized modifications.

Secure Supply Chain Enforcement Kyverno Image Verification for Java Containers – https://macronepal.com/blog/secure-supply-chain-enforcement-kyverno-image-verification-for-java-containers/
Explains enforcing Kubernetes policies with Kyverno to verify container image signatures and ensure only trusted Java container images are deployed.

Pod Security Admission in Java Securing Kubernetes Deployments for JVM Applications – https://macronepal.com/blog/pod-security-admission-in-java-securing-kubernetes-deployments-for-jvm-applications/
Explains Kubernetes Pod Security Admission policies that enforce security rules like restricted privileges and safe configurations for Java workloads.

Securing Java Applications at Runtime Kubernetes Security Context – https://macronepal.com/blog/securing-java-applications-at-runtime-a-guide-to-kubernetes-security-context/
Explains how Kubernetes security contexts control runtime permissions, user IDs, and access rights for Java containers to improve isolation.

Process Anomaly Detection in Java Behavioral Monitoring – https://macronepal.com/blog/process-anomaly-detection-in-java-comprehensive-behavioral-monitoring-2/
Explains detecting abnormal runtime behavior in Java applications to identify potential security threats using process monitoring techniques.

Achieving Security Excellence CIS Benchmark Compliance for Java Applications – https://macronepal.com/blog/achieving-security-excellence-implementing-cis-benchmark-compliance-for-java-applications/
Explains applying CIS security benchmarks to Java environments to standardize hardening and improve overall system security posture.

Process Anomaly Detection in Java Behavioral Monitoring – https://macronepal.com/blog/process-anomaly-detection-in-java-comprehensive-behavioral-monitoring/
Explains behavioral monitoring of Java processes to detect anomalies and improve runtime security through continuous observation and analysis.

JAVA CODE COMPILER

FREE ONLINE JAVA CODE COMPILER