How to Generate and Expose SBOMs in Spring Boot 3.3.0

Introduction

Spring Boot 3.3.0 adds native support for SBOM (Software Bill‑of‑Materials), which describes the components used to build a software artifact. SBOMs help you assess security vulnerabilities and enable automated tools to scan and alert on issues.

Spring Boot supports the most common SBOM formats—CycloneDX, SPDX, and Syft—and provides built‑in CycloneDX support through three pillars:

Configuration of the CycloneDX plugin to generate an SBOM during the build.

Packaging the generated SBOM into the uber‑jar.

Optional exposure of the SBOM via an Actuator endpoint.

Generating an SBOM

Create a new project on start.spring.io with Spring Boot 3.3.0 and include the Spring Web and Actuator dependencies.

For Gradle, add the CycloneDX plugin to build.gradle:

plugins {<br/>    id 'org.cyclonedx.bom' version '1.8.2'<br/>}<br/>

Spring Boot detects the plugin and configures it automatically.

For Maven, add the CycloneDX Maven plugin to pom.xml:

<plugins><br/>  <plugin><br/>    <groupId>org.cyclonedx</groupId><br/>    <artifactId>cyclonedx-maven-plugin</artifactId><br/>  </plugin><br/></plugins><br/>

Build the project with gradle build or mvn package. The SBOM is generated and placed in META-INF/sbom/application.cdx.json inside the uber‑jar, and the jar manifest includes:

Sbom-Location: META-INF/sbom/application.cdx.json<br/>Sbom-Format: CycloneDX<br/>

Exposing the SBOM via Actuator

Enable the SBOM endpoint by adding to application.properties:

management.endpoints.web.exposure.include=health,sbom<br/>

After rebuilding and running the jar, query the endpoint:

curl http://localhost:8080/actuator/sbom<br/><br/>HTTP/1.1 200<br/>Content-Type: application/vnd.spring-boot.actuator.v3+json<br/><br/>{"ids":["application"]}<br/>

Retrieve the full SBOM:

curl -i http://localhost:8080/actuator/sbom/application<br/><br/>HTTP/1.1 200<br/>Content-Type: application/vnd.cyclonedx+json<br/>...<br/>

The response contains a detailed JSON document with all dependencies, hashes, licenses, URLs, and metadata such as version and generation time.

Using Different SBOM Formats

If you prefer SPDX or Syft, configure the location and media type manually:

management.endpoint.sbom.application.location=classpath:/sbom/application.spdx.json<br/>management.endpoint.sbom.application.media-type=application/spdx+json<br/>

Place the SPDX file under src/main/resources/sbom/application.spdx.json.

Adding Additional SBOMs

Spring Boot can expose multiple SBOMs. Define extra SBOMs with properties such as:

management.endpoint.sbom.additional.jvm.location=file:/path/to/sbom.json<br/>management.endpoint.sbom.additional.jvm.media-type=application/json<br/>

After restarting, the Actuator endpoint lists both IDs:

curl -i http://localhost:8080/actuator/sbom<br/><br/>HTTP/1.1 200<br/>Content-Type: application/vnd.spring-boot.actuator.v3+json<br/><br/>{"ids":["application","jvm"]}<br/>

Each SBOM can be retrieved individually, e.g., curl -i http://localhost:8080/actuator/sbom/jvm.

Optional SBOMs

To avoid startup failures when an SBOM file is missing, prefix the location with optional: so Spring Boot will ignore absent files.

Conclusion

Spring Boot’s SBOM support helps you secure your software supply chain by providing detailed component inventories that are easy to generate, package, and expose.