Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
How to configure the plugin to only create one SBOM for all submodules?
See original GitHub issueI have a multi modul maven project which I’d like to create an SBOM for with cyclonedx-maven-plugin 2.6.1. The parent pom looks like this:
...
<modules>
<module>d</module>
<module>c</module>
<module>b</module>
<module>a</module>
<module>z</module>
<module>y</module>
<module>x</module>
</modules>
<dependencyManagement>
<dependencies>
<dependency>
...
</dependency>
</dependencies>
</dependencyManagement>
<build>
<pluginManagement>
<plugins>
...
</plugins>
</pluginManagement>
<plugins>
...
</plugins>
</build>
<profiles>
<profile>
<id>cyclonedx-maven</id>
<build>
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<inherited>false</inherited>
<version>2.6.1</version>
<executions>
<execution>
<phase>install</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
<configuration>
<projectType>application</projectType>
<schemaVersion>1.4</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>true</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>true</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeLicenseText>true</includeLicenseText>
<outputFormat>json</outputFormat>
<outputName>sbom-report</outputName>
</configuration>
</plugin>
</plugins>
</build>
</profile>
...
<reporting>
...
</reporting>
</profiles>
The submodules looks like this:
<project>
...
<parent>
...
</parent>
<dependencies>
<dependency>
....
</dependency>
</dependencies>
</project>
When I run mvn -U -B -e install -Pjenkins -DskipTests=true -Pcyclonedx-maven the following log will appear:
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] ... [pom]
[INFO] ... [pom]
[INFO] ... [pom]
[INFO] ... [jar]
[INFO] ... [jar]
[INFO] ... [pom]
[INFO] ... [jar]
[INFO] ... [pom]
...
[INFO]
[INFO] -----------------------< groupid/... >------------------------
[INFO] Building [1/180]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0-M3:enforce (enforce-maven) @ ---
[INFO]
[INFO] --- properties-maven-plugin:1.0.0:set-system-properties (default) @ ---
[INFO] Set 1 system property
[INFO]
[INFO] --- maven-install-plugin:3.0.0-M1:install (default-install) @ ---
[INFO] Installing path/pom.xml to /.m2/repository/.../SNAPSHOT.pom
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] depnameSNAPSHOT (test)
[WARNING] depnameSNAPSHOT (test)
...
[WARNING] Try running the build up to the lifecycle phase "package"
[INFO]
[INFO] --- cyclonedx-maven-plugin:2.6.1:makeAggregateBom (default) @ ---
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (JSON): path
[INFO] CycloneDX: Validating BOM (JSON): path
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (JSON): path
[INFO] CycloneDX: Validating BOM (JSON): path
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (JSON): path
[INFO] CycloneDX: Validating BOM (JSON): path
How do I need to configure the plugin in order to only produce one BOM which still uses the aggregate goal to cover all submodules as well? I’ve tried to follow issue#13, but the solution did not work for me. Cyclone still creates reports for every submodule.
Issue Analytics
- State:
- Created a year ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Multi-Module Project with Maven - Baeldung
Then we can include in it all configuration with dependencies, and set ... It's important to note that submodules can have only one...
Read more >Documentation for makeBom and makeAggregateBom #13
I ran into a problem using the goal makeAggregateBom and think that I have now solved it, giving the details below.
Read more >Best practices for structuring Maven projects and modules
A Maven Plugin contains one or more Actions and references to all required dependencies. Actions are defined using the @Action annotation (an ......
Read more >Maven BOM-of-BOM to capture submodules - Stack Overflow
I'm trying to make an internal-bom of related Maven projects, many of which have their own sub-modules. I don't want to reference every...
Read more >Getting Started | Creating a Multi Module Project - Spring
This guide shows you how to create a multi-module project with Spring Boot. The project will have a library jar and a main...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Documentation is available at https://cyclonedx.github.io/cyclonedx-maven-plugin/
Thanks!