Generating SBOM for Java apps built with Ant

[lweitzel01]

Hello Team,

What tool can I use to generate SBOM for Java applications built with Ant? There does not appear to be a specific plugin for Ant (only Maven and Gradle) and the CLI tool does not actually generate library components and scan the jars to determine the version/license.

Thanks.

[stevespringett]

If you're using Ivy, you should be able to use the Maven plugin with Ant/Ivy. If you're not using Ivy, then its highly likely you're manually managing dependencies, in which case you'll also need to manually manage the SBOM, or acquire a binary analysis tool that can evaluate the dependencies and generate the SBOM from the evidence.

[lweitzel01]

I had assumed that the CycloneDX CLI tool would actually scan the binaries and produce a similar SBOM the same as the Maven/Gradle plugin. Is that not the case?

Would the scancode toolkit be a binary scanner to start with?

[stevespringett]

The CycloneDX CLI is a useful utility that does many things. But it doesn't understand any build systems or file types, that's not in scope for the app. The CLI can create source SBOMs, basically a listing of all sources files and their properties. So that's likely not what you're looking for.

scancode toolkit would be my first choice, yes. scancode also supports CycloneDX.

[lweitzel01]

Steve,
It looks like you contribute to the OWASP Dependency Checker as a binary scanner for jenkins which we use extensively. Are there any tools that would take the output from dependency checker and convert it to SBOM?

[stevespringett]

I have not contributed to Dependency-Check or the Jenkins plugin for several years. The Jenkins plugin has a new maintainer. I have no idea if there are tools that support exporting to CycloneDX from Dependency-Check. You may want to ask that community.