diff --git a/.gitignore b/.gitignore
index f96c2308..1e849943 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,7 @@ repository
 .gradle
 /build/
 out/
+gradle.lockfile
 !gradle/wrapper/gradle-wrapper.jar
 
 ### STS ###
diff --git a/Makefile b/Makefile
index 22285adc..f8f60fbf 100644
--- a/Makefile
+++ b/Makefile
@@ -5,5 +5,5 @@
 .PHONEY: scan
 scan:
 	go install github.com/google/osv-scanner/cmd/osv-scanner@latest
-	./gradlew cyclonedxBom
-	osv-scanner --sbom='fabric-chaincode-shim/build/reports/bom.json'
+	./gradlew --quiet resolveAndLockAll --write-locks
+	osv-scanner scan --lockfile=fabric-chaincode-shim/gradle.lockfile
diff --git a/fabric-chaincode-shim/build.gradle b/fabric-chaincode-shim/build.gradle
index 77bbadbc..ea14aabc 100644
--- a/fabric-chaincode-shim/build.gradle
+++ b/fabric-chaincode-shim/build.gradle
@@ -33,16 +33,20 @@ checkstyleTest {
     source ='src/test/java'
 }
 
-cyclonedxBom {
-    includeConfigs = ["runtimeClasspath"]
-    skipConfigs = ["compileClasspath", "testCompileClasspath"]
-    projectType = "library"
-    schemaVersion = "1.5"
-    destination = file("build/reports")
-    outputName = "bom"
-    outputFormat = "json"
-    includeBomSerialNumber = false
-    includeLicenseText = false
+configurations {
+    runtimeClasspath {
+        resolutionStrategy.activateDependencyLocking()
+    }
+}
+
+tasks.register('resolveAndLockAll') {
+    notCompatibleWithConfigurationCache("Filters configurations at execution time")
+    doFirst {
+        assert gradle.startParameter.writeDependencyLocks : "$path must be run from the command line with the `--write-locks` flag"
+    }
+    doLast {
+        configurations.findAll { it.canBeResolved }.each { it.resolve() }
+    }
 }
 
 tasks.withType(org.gradle.api.tasks.testing.Test) {