Embed an SBOM in a Native Executable to Identify Its Dependencies

Native Image can embed a Software Bill of Materials (SBOM). An SBOM is an inventory of all the components, libraries, and modules that make up your application. It provides detailed information about all open-source and proprietary libraries used by the application and their versions. Use the --enable-sbom option to incorporate an SBOM into a native executable. It supports the CycloneDX format by default. (Not available in GraalVM Community Edition.)


  • Make sure you have installed Oracle GraalVM. The easiest way to get started is with SDKMAN!. For other installation options, visit the Downloads section.
  • Syft

Generate an SBOM at Build Time

For the demo application, you will use the jwebserver tool, and package it as a native executable with an embedded SBOM.

jwebserver is a minimal HTTP server for serving static files from a single directory hierarchy, included in the JDK. It was added in Java 18.

  1. Save the following code to a file named index.html, so the web server has content to serve:
     <!DOCTYPE html>
         <h2>Hello, GraalVM user!<p>
  2. From the directory where you saved index.html, run the following command to create a native executable and embed an SBOM:
     native-image --enable-sbom=cyclonedx -m jdk.httpserver -o jwebserver

    Native Image compiles jwebserver from the jdk.httpserver module, provided with the JDK, by passing the -m option. It produces a native executable containing a GZIP format compressed SBOM.

  3. (Optional) Run the compiled jwebserver executable and go to localhost:8000 in a browser:

Extract the Embedded SBOM

There are two possible ways to extract the compressed SBOM contents into a human-readable format:


Syft, syft, is an open source tool maintained by Anchore. Syft can extract an embedded SBOM which it can present in both a native Syft format or CycloneDX. Thanks to a contribution from the GraalVM team, syft can now extract an SBOM given within a native executable, built for Linux, macOS, or Windows.

Run syft on the native executable to read its SBOM contents:

syft jwebserver

It lists all of the Java libraries included in it.

Native Image Inspect Tool

GraalVM Native Image provides the Inspect Tool to retrieve an SBOM embedded in a native executable. The Inspect Tool is a viable alternative if you prefer not to install syft.

Run the following command to read the SBOM contents using the Inspect Tool:

native-image-inspect --sbom jwebserver

To take it further, you can submit the SBOM to any available vulnerability scanner, and check if the recorded libraries have known security vulnerabilities. Vulnerability scanners cross-reference the components listed in an SBOM with CVEs in vulnerability databases.

This guide demonstrated how you can get insights on your application supply chain to help assess risks associated with the third-party dependencies. Native Image can embed an SBOM into a native executable or shared library at build time.

Connect with us