cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Could not generate SBOM with private Repo

Open jojen opened this issue 2 years ago • 1 comments

my ~/.m2/settings.xml file contains the login information for this repo

makeBom aborts with this info:

Could not find artifact org.apache.logging.log4j:log4j-api-java9:pom:2.10.0 in mycompany-nexus-maven-releases (https://nexus.mycompany.com/repository/maven-releases/)

jojen avatar Sep 15 '22 13:09 jojen

Thanks for reporting. I do not have a way to reproduce, so any additional information would be appreciated.

stevespringett avatar Sep 26 '22 00:09 stevespringett

@stevespringett I have the same problem. The settings.xml of the project specifies the local nexus repository where artifacts are uploaded, including the example.jar file. When running a cyclonedx job, an error occurs: [ERROR] Failed to execute goal on project example: Could not resolve dependencies for project example:jar:1.0.0: Could not find artifact example:jar:1.11 in central (https://repo.maven.apache.org/maven2) -> [Help 1]

how can i solve my problem? what data do you need to help me?

2013kaa avatar Oct 06 '22 11:10 2013kaa

@jojen did you manage to solve this problem?

2013kaa avatar Oct 06 '22 11:10 2013kaa

@2013kaa in my case i use spring boot. i cannot find this dependency in my dependency tree.

if i change the spring boot version this error does not show up any more.

jojen avatar Oct 06 '22 14:10 jojen

@stevespringett can you try to run makeBOM with this pom.xml? in my case i can reproduce.

https://start.spring.io/ -> generate project

change in pom.xml project/parent/version to 2.0.0.RELEASE -> makeBom

jojen avatar Oct 06 '22 14:10 jojen

@jojen So I added

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.7.1</version>
    <executions>
        <execution>
	    <phase>package</phase>
            <goals>
                <goal>makeBom</goal>
            </goals>
        </execution>
    </executions>
</plugin>

to the pom generated by https://start.spring.io/

Works fine. Changed project/parent/version to 2.0.0.RELEASE and as expected, mvn clean package fails as Maven was not able to resolve the dependency.

Not sure what the purpose of trying to reproduce this was. Maven internals resolve dependencies. The CycloneDX Maven plugin uses the built-in Maven dependency resolution. If Maven cannot resolve dependencies, the CycloneDX Maven plugin will not either.

stevespringett avatar Oct 06 '22 15:10 stevespringett

I can reproduce this error without specifying a repo in settings.xml: Could not find artifact org.apache.logging.log4j:log4j-api-java9:pom:2.13.3 in oss-sonatype (https://oss.sonatype.org/content/repositories/snapshots/)

Cloning the git repo for the cyclone plugin and updating the maven-dependency-tree dependency to the latest version (3.2.0) solved this for me.

        <dependency>
            <groupId>org.apache.maven.shared</groupId>
            <artifactId>maven-dependency-tree</artifactId>
            <version>3.2.0</version>
        </dependency>

Found this after comparing the dependency:tree plugin with cyclonedx. The do the same call to dependencyCollectorBuilder.collectDependencyGraph(buildingRequest, artifactFilter), but with different results, because of the different versions of DefaultDependencyGraphBuilder in versions 3.1.1 (cyclone) and 3.2.0 (dependency-tree and I guess maven itself)

sanderv avatar Oct 10 '22 12:10 sanderv

PR https://github.com/CycloneDX/cyclonedx-maven-plugin/pull/213

sanderv avatar Oct 10 '22 14:10 sanderv

Thanks for identifying the root cause and subsequent PR @sanderv. Much appreciated. In the process of pushing v2.7.2 of the plugin to Central. Should be available shortly.

stevespringett avatar Oct 10 '22 14:10 stevespringett