cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard
verified publisher icon CycloneDX

Running makeAggreagateBom on nested project fails due to empty bom file with schemaVersion 1.1

Open bgiaccio opened this issue 3 years ago • 2 comments

I tried updating the plugin from 2.5.3 to 2.6.2 using schema 1.1 and get the following

[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
ERROR] Failed to execute goal org.cyclonedx:cyclonedx-maven-plugin:2.6.2:makeAggregateBom (default) on project dashboard-parent: The BOM does not conform to the CycloneDX BOM standard as defined by the XSD

As near as I can determine this is because I have a structure of maven modules where I have root

  • shared
    • A
    • B
    • C
  • services
    • One
    • Two

And the shared and services directories themselves have no code to build and as such no dependencies. Resulting in a two line bom

<?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:073ab8ba-ee32-4df2-b657-8c1cf980dff4" version="1" xmlns="http://cyclonedx.org/schema/bom/1.1"/>

bgiaccio avatar May 23 '22 14:05 bgiaccio

As a workaround, try setting outputReactorProjects to false in the plugins configuration. This corner case likely only occurs with CycloneDX 1.0 and 1.1 and should not occur with v1.2 and higher.

stevespringett avatar May 23 '22 15:05 stevespringett

I just ran into the same problem with 2.6.2 (and with 2.7.0-SNAPSHOT):

Running...

verify org.cyclonedx:cyclonedx-maven-plugin:2.7.0-SNAPSHOT:makeBom

Jenkins console log:

[INFO] --- cyclonedx-maven-plugin:2.6.2:makeBom (default-cli) @ maven-tests ---
[INFO] CycloneDX: Parameters
[INFO] ------------------------------------------------------------------------
[INFO] schemaVersion          : 1.4
[INFO] includeBomSerialNumber : true
[INFO] includeCompileScope    : true
[INFO] includeProvidedScope   : true
[INFO] includeRuntimeScope    : true
[INFO] includeTestScope       : false
[INFO] includeSystemScope     : true
[INFO] includeLicenseText     : false
[INFO] outputFormat           : all
[INFO] outputName             : bom
[INFO] ------------------------------------------------------------------------
[INFO] CycloneDX: Resolving Dependencies
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /var/lib/jenkins/workspace/Tools/Maven-Tests_DS-418/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /var/lib/jenkins/workspace/Tools/Maven-Tests_DS-418/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /var/lib/jenkins/workspace/Tools/Maven-Tests_DS-418/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /var/lib/jenkins/workspace/Tools/Maven-Tests_DS-418/target/bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword

This was with simplest possible project. No modules, and:

    <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-dependency-plugin</artifactId>
                    <version>3.2.0</version>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>

    <dependencies>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.13.2</version>
            <scope>test</scope>
        </dependency>
    </dependencies>

I did get a valid BOM output.

As an aside, how come outputReactorProjects (and projectType) is not included in the logging?

msymons avatar May 23 '22 20:05 msymons