This repository demonstrates how the Spring PetClinic application looks when analyzed through a security lens. It includes baseline SBOMs for two versions of the application: one built with the final OSS release of Spring Boot 2.7.x and one built with HeroDevs Never Ending Support (NES) for Spring as a drop-in replacement.
demo-scanners/
├── oss-petclinic.sbom.cdx.json # CycloneDX SBOM from the OSS Spring PetClinic
├── nes-petclinic.sbom.cdx.json # CycloneDX SBOM with HeroDevs NES for Spring drop-in replacements
└── <scanner>/ # Individual scanner integrations
To obtain the source code for Spring PetClinic we found the last commit that Spring PetClinic was using Spring Boot 2.7.x. From there we upgraded to the latest Spring Boot version (2.7.18) and checked in the OSS code to this branch. We then created another branch and dropped in HeroDevs NES for Spring.
The OSS and NES branches in the Spring PetClinic were then used to generate both a CycloneDX SBOM and a SPDX SBOM in the JSON format.
To generate a CycloneDX SBOM, reference the branches mentioned above and run the following command:
./mvnw org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBomTo generate a SPDX SBOM in the JSON format:
./mvnw org.spdx:spdx-maven-plugin:createSPDXThose commands will generate the SBOM files in the target directory. The files have been renamed to oss-petclinic.sbom.cdx.json, oss-petclinic.sbom.spdx.json, nes-petclinic.sbom.cdx.json, and nes-petclinic.sbom.spdx.json respectively and are available in this repository.