Documentation for makeBom and makeAggregateBom

I ran into a problem using the goal makeAggregateBom and think that I have now solved it, giving the details below. If I got things right then perhaps this might help improve documentation. If I got things wrong, then I need to know that too!

I used the makeAggregateBom goal as detailed in the documentation and the result was that the goal was executed for every single module in the project. I did notice this, and realized that all my multiple generated BOM files were essentially the same thing (albeit with component ordering seeming to be different every time). This did not cause too big a problem in small projects (and I had no problem grabbing the “parent BOM” in Dependency-Track Plugin config).

However, the configuration fell over when applied to large projects because things took too long to run (the following console output shows absolute timestamps):

12:44:36 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProject ---
12:45:46 [INFO] CycloneDX: Creating BOM

12:45:56 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule1 ---
12:47:08 [INFO] CycloneDX: Creating BOM

12:47:15 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule2 ---
12:48:23 [INFO] CycloneDX: Creating BOM

12:48:26 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule3 ---
12:49:35 [INFO] CycloneDX: Creating BOM

12:49:43 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule4 ---
12:50:53 [INFO] CycloneDX: Creating BOM

12:50:56 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule5 ---
12:51:57 [INFO] CycloneDX: Creating BOM

12:52:00 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule6 ---
12:52:51 [INFO] CycloneDX: Creating BOM

For a project with 46 modules this was increasing the total job run time by an hour!

My solution was to use the <inherited> tag thus:

<pluginManagement>
    <plugins>
        <plugin>
            <groupId>org.cyclonedx</groupId>
            <artifactId>cyclonedx-maven-plugin</artifactId>
            <version>1.3.1</version>
            <executions>
                <execution>
                    <id>cyclonedx-aggregate</id>
                    <phase>verify</phase>
                    <goals>
                        <goal>makeAggregateBom</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <includeCompileScope>true</includeCompileScope>
                <includeProvidedScope>true</includeProvidedScope>
                <includeRuntimeScope>true</includeRuntimeScope>
                <includeSystemScope>true</includeSystemScope>
                <includeTestScope>false</includeTestScope>
             </configuration>
         </plugin>
    </plugins>
</pluginManagement>
 
<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <inherited>false</inherited>
     </plugin>
</plugins>

Now, this configuration worked for the project to which it was added… the goal ran once and once only and the resulting BOM was correct.

Additionally, this project parents many other projects. Thus, to those projects, all I had to do was use:

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <inherited>false</inherited>
</plugin>

ie, “reset” things so that CycloneDX runs makeAggregateBom with inheritance turned off “at the right level” (does that make sense?).

One extra thing that I think would be useful to have in documentation is an explanation of makeBom and makeAggregateBom with a use case or two. Just to get people thinking of possibilities…