Building SCA pipeline for Spring Boot — SBOM vs JAR scanning, what's the right approach?
Hey everyone,
I'm building a CI SCA pipeline for a Spring Boot application using Dependency-Check, Trivy, and OSV Scanner.
I've been going back and forth between two approaches:
- Generate a CycloneDX SBOM from Maven and feed it into all the tools
- Resolve dependencies into a local Maven cache and point the tools directly at the JARs or POM files
From my testing, scanning the Maven cache directly produces a huge amount of noise — false positives coming from other libraries' POM files declaring their own dependency versions, which Maven never actually uses at runtime.
The SBOM approach gives much cleaner results since it only contains the versions Maven actually resolved.
Is SBOM the industry standard for this kind of pipeline? Are there any downsides I'm missing?