I'm working on a Java/Kotlin project using Gradle, and I need to generate a Software Bill of Materials (SBOM) that includes not only the project dependencies but also specific information like the Java version and distribution. I am currently using the CycloneDX Gradle plugin for SBOM generation, but it only lists the dependencies and doesn't include the Java environment details. I also have to make this into a Github Action for Dependabot.
plugins {
id 'org.cyclonedx.bom' version '1.8.1'
}
cyclonedxBom {
includeConfigs = ["runtimeClasspath"]
skipConfigs = ["compileClasspath", "testCompileClasspath"]
// other configurations...
}
Generated the SBOM using the ./gradlew cyclonedxBom command.
However, the resulting SBOM lacks information about the Java version and distribution. Is there a way to include this information in the SBOM generated by CycloneDX? Or is there an alternative approach or tool I can use to create a more customized SBOM for my Java/Kotlin Gradle project?
Any guidance or suggestions on how to achieve this would be greatly appreciated.