This Ant library provides Ant types and a task to create CycloneDX SBOMs.
The library is meant to be used for projects that manage their dependencies manually (or haven't got any dependencies at all). For projects using Apache Ivy we plan to create a separate Ant Library leveraging automatic dependency management.
At the same time this Ant library is not restricted to providing SBOMs for jar modules you publish. It is supposed to be generic enough to provide SBOMs for distribution tarballs, executables or generic components.
Technically it provides a pretty thin layer on top of CycloneDX Core (Java) and can only provide what the libary itself supports. For example this means the task doesn't support CycloneDX 1.7, yet, as the underlying library doesn't.
Right now only a subset of things that can be expressed by a CycloneDX SBOM is possible to create with the Ant task of this library. The main focus has been to support what the Ant project needs for its own releases - but contributions beyond that are certainly welcome.
This manual follows the CycloneDX terminology closely, as do the task and types. It can not serve as an introduction to SBOMs, in particular as the authors understanding of the topic may be limited or even wrong.
The main entry point to this library is the componentbom task that creates CycloneDX SBOMs for a single component. The Ant types provided by this library are mainly there as stand-alone types so they can be reused if you need things in more than one SBOM - because you are publishing multiple components or package them in multiple artifacts for example.
The types provided by the library are:
This Ant Library requires Java 8 at a minimum to build and at runtime. It is meant to be compatible with Ant 1.10.x but there is no guarantee it will work with any version prior to 1.10.17.
The only direct dependency is CycloneDX Core (Java) but this in turn transitively depends on commons-io, commons-lang3, commons-collections4 and commons-codec of the Apache Commons project as well as Package URL (purl) for Java. It also depends on Jackson and woodstox when writing the BOM. It may be possible to avoid the woodstox dependency if you only create the JSON format of the SBOM.