How to Generate and Expose SBOMs in Spring Boot 3.3.0

Introduction

Spring Boot 3.3.0 adds native support for SBOM (Software Bill‑of‑Materials), which describes the components used to build a software artifact. SBOMs help you assess security vulnerabilities and enable automated tools to scan and alert on issues.

Spring Boot supports the most common SBOM formats—CycloneDX, SPDX, and Syft—and provides built‑in CycloneDX support through three pillars:

Configuration of the CycloneDX plugin to generate an SBOM during the build.

Packaging the generated SBOM into the uber‑jar.

Optional exposure of the SBOM via an Actuator endpoint.

Generating an SBOM

Create a new project on

start.spring.io

with Spring Boot 3.3.0 and include the Spring Web and Actuator dependencies.

For Gradle, add the CycloneDX plugin to

build.gradle

:

<code>plugins {<br/>    id 'org.cyclonedx.bom' version '1.8.2'<br/>}<br/></code>

Spring Boot detects the plugin and configures it automatically.

For Maven, add the CycloneDX Maven plugin to

pom.xml

:

<code><plugins><br/>  <plugin><br/>    <groupId>org.cyclonedx</groupId><br/>    <artifactId>cyclonedx-maven-plugin</artifactId><br/>  </plugin><br/></plugins><br/></code>

Build the project with

gradle build

or

mvn package

. The SBOM is generated and placed in

META-INF/sbom/application.cdx.json

inside the uber‑jar, and the jar manifest includes:

<code>Sbom-Location: META-INF/sbom/application.cdx.json<br/>Sbom-Format: CycloneDX<br/></code>

Exposing the SBOM via Actuator

Enable the SBOM endpoint by adding to

application.properties

:

<code>management.endpoints.web.exposure.include=health,sbom<br/></code>

After rebuilding and running the jar, query the endpoint:

<code>curl http://localhost:8080/actuator/sbom<br/><br/>HTTP/1.1 200<br/>Content-Type: application/vnd.spring-boot.actuator.v3+json<br/><br/>{"ids":["application"]}<br/></code>

Retrieve the full SBOM:

<code>curl -i http://localhost:8080/actuator/sbom/application<br/><br/>HTTP/1.1 200<br/>Content-Type: application/vnd.cyclonedx+json<br/>...<br/></code>

The response contains a detailed JSON document with all dependencies, hashes, licenses, URLs, and metadata such as version and generation time.

Using Different SBOM Formats

If you prefer SPDX or Syft, configure the location and media type manually:

<code>management.endpoint.sbom.application.location=classpath:/sbom/application.spdx.json<br/>management.endpoint.sbom.application.media-type=application/spdx+json<br/></code>

Place the SPDX file under

src/main/resources/sbom/application.spdx.json

.

Adding Additional SBOMs

Spring Boot can expose multiple SBOMs. Define extra SBOMs with properties such as:

<code>management.endpoint.sbom.additional.jvm.location=file:/path/to/sbom.json<br/>management.endpoint.sbom.additional.jvm.media-type=application/json<br/></code>

After restarting, the Actuator endpoint lists both IDs:

<code>curl -i http://localhost:8080/actuator/sbom<br/><br/>HTTP/1.1 200<br/>Content-Type: application/vnd.spring-boot.actuator.v3+json<br/><br/>{"ids":["application","jvm"]}<br/></code>

Each SBOM can be retrieved individually, e.g.,

curl -i http://localhost:8080/actuator/sbom/jvm

.

Optional SBOMs

To avoid startup failures when an SBOM file is missing, prefix the location with

optional:

so Spring Boot will ignore absent files.

Conclusion

Spring Boot’s SBOM support helps you secure your software supply chain by providing detailed component inventories that are easy to generate, package, and expose.