cdxgen icon indicating copy to clipboard operation
cdxgen copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

SBOM generation should fail on unknown pom.xml dependency

Open metametadata opened this issue 1 year ago • 3 comments

pom.xml with the non-existent abc/def dependency:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>foo</groupId>
  <artifactId>bar</artifactId>
  <packaging>jar</packaging>
  <version>1.0.0</version>
  <name>foo</name>
  <dependencies>
    <dependency>
      <groupId>abc</groupId>
      <artifactId>def</artifactId>
      <version>1.2.3</version>
    </dependency>
  </dependencies>
</project>

Command:

CDXGEN_DEBUG_MODE=debug PREFER_MAVEN_DEPS_TREE=true cdxgen --fail-on-error --no-include-formulation --no-recurse --output sbom.json --type java

Expected

The command fails with non-0 exit code, sbom.json is not generated.

Actual

Exit code 0, sbom.json is generated.

metametadata avatar Oct 24 '24 22:10 metametadata