https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.sbom

It was not immediately clear to me that, for Gradle, the cyclonedxBom task is not part of the overall build lifecycle.

Additionally, the output needs to be placed in a specific location to be auto-detected: https://github.com/spring-projects/spring-boot/blob/v3.3.0/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/sbom/SbomEndpoint.java#L43

It would be nice if the Spring Boot Gradle plugin reacts to the CycloneDX plugin application with some sensible default:

tasks { processResources { from(cyclonedxBom) { include("${cyclonedxBom.get().outputName.get()}.json") into("META-INF/sbom") } } }

The include() part is necessary since the task outputs to build/reports which can contain other items not related to SBOM.