cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Multi-module projects slow to build due to makeAggregateBom trying to download reactor modules from repo

Open toaomalkster opened this issue 3 years ago • 3 comments

The makeAggregateBom goal causes Maven to attempt to fetch some reactor modules from the repo instead of from the local project files. This occurs when one project module depends on another and thus that second one is listed as a dependency. At best you see warning messages like this:

[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.example:cyclonedx-test-service:jar:1.0-SNAPSHOT (compile)
[WARNING] o org.example:cyclonedx-test-common:jar:1.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"

At worst, if your project is setup to fetch snapshot dependencies, it leads to Maven trying to download each module from its configured repository, and waiting for a time out before continuing. In my organisation using Artifactory this adds 15sec to 30sec for each module it tries to download (I think Artifactory has a 15sec timeout on failing to find an artifact):

Downloading from maven-digital-virtual: https://artifactory.my-company.com/artifactory/org/example/cyclonedx-test-common/1.0-SNAPSHOT/maven-metadata.xml
{..wait 15sec for timeout..}
Downloading from maven-digital-virtual: https://artifactory.my-company.com/artifactory/org/example/cyclonedx-test-common/1.0-SNAPSHOT/cyclonedx-test-common-1.0-SNAPSHOT.jar
{..wait 15sec for timeout..}
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.example:cyclonedx-test-common:jar:1.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"
Downloading from maven-digital-virtual: https://artifactory.my-company.com/artifactory/org/example/cyclonedx-test-service/1.0-SNAPSHOT/maven-metadata.xml
{..wait 15sec for timeout..}
Downloading from maven-digital-virtual: https://artifactory.my-company.com/artifactory/org/example/cyclonedx-test-service/1.0-SNAPSHOT/cyclonedx-test-service-1.0-SNAPSHOT.jar
{..wait 15sec for timeout..}
[WARNING] The following dependencies could not be resolved at this point of the build but seem to be part of the reactor:
[WARNING] o org.example:cyclonedx-test-service:jar:1.0-SNAPSHOT (compile)
[WARNING] o org.example:cyclonedx-test-common:jar:1.0-SNAPSHOT (compile)
[WARNING] Try running the build up to the lifecycle phase "package"

This is also mentioned in issue #85, which only talks about the warning message.

toaomalkster avatar Nov 01 '21 20:11 toaomalkster

The basic setup for reproducing this is as follows:

  • Multi-module project with some modules depending on others (eg: module 'web' includes module 'common' as a depnedency).
  • Use of a repo mirror with snapshots enabled.
  • Run cyclonedx 'makeAggregateBom' as part of the build or via cli as mvn cyclonedx:makeAggregateBom.
  • Maven will attempt to download module 'common' from the repo mirror.

Example project attached: cyclonedx-test.zip

Steps to reproduce issue using attached project:

  1. Configure pom.xml with url of a repo mirror (preferably Artifactory)
  2. Run mvn cyclonedx:makeAggregateBom

toaomalkster avatar Nov 01 '21 20:11 toaomalkster

I got the exact same issue

Shingaz avatar Feb 08 '22 09:02 Shingaz

Same here

duracotton avatar Aug 03 '22 14:08 duracotton