Vulnerability reference¶
Known limitations and alternatives¶
Due to Trivy, you'll receive a simplified dependency graph, as Trivy doesn't support Gradle or Maven's dependency resolution.
Dependency-track integrates with Trivy at runtime, ensuring that vulnerabilities from the Docker container are still detected.
Trivy directly parses the .jar files without access to full dependency resolution details.
Gradle and Maven plugins provide a deeper graph of nested transitive dependencies.
Gradle Plugin¶
Gradle
Add the following plugin to your build.gradle* file.
In your workflow you can generate a SBOM with the following gradle task command:
The SBOM will be default located at build/reports/bom.json. Pass the SBOM to the nais/docker-build-push action with the following input:
For nais/attest-sign action:
```yaml
uses: nais/attest-sign@v1
with:
sbom: build/reports/bom.json
```
For more info about settings check out the CycloneDx Gradle Plugin
Maven Plugin¶
Maven
Add the following to your pom.xml file.
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
In your workflow you can generate a SBOM with the following maven command:
The SBOM will be default located at target/bom.json. Pass the SBOM to the nais/docker-build-push action with the following input:
For nais/attest-sign action:
```yaml
uses: nais/attest-sign@v1
with:
sbom: target/bom.json
```
For more info about settings check out the CycloneDx Maven Plugin