cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Add optional configuration parameter "includeLicenses".

Open akurth opened this issue 5 years ago • 9 comments

The default is true. Setting it to false will entirely omit component license information. This may be useful for environments where spdx.org cannot be reached or where license information is not relevant at all.

akurth avatar Dec 24 '19 10:12 akurth

This appears to be an issue with the SPDX tools library used by CycloneDX Core and not specific to the Maven plugin.

This PR seems to be a workaround rather than a solution. I'm more interested in having an offline solution that includes the license information than simply omitting it. I'll have to investigate the use of spdx-tools in cyclonedx-core-java and see if the license lookup functionality can be performed without spdx-tools, and if not, then I might need to create a ticket for the spdx-tools project to have their tool work in offline mode as a fallback.

stevespringett avatar Jan 09 '20 17:01 stevespringett

@stevespringett Can't we do both? Some will simply not be interested in the licensing altogether and this flag is valuable for those.

davidkarlsen avatar Jan 12 '20 15:01 davidkarlsen

@stevespringett Do you have any updates on this issue from SPDX tools library? As suggested by @davidkarlsen wouldn't it be helpful to have this flag as well for those not quite interested in the licensing?

rylyade1 avatar Jan 25 '20 00:01 rylyade1

BOMs are a statement of fact. Crippling the plugin through configuration which produces inaccurate license information for the purpose of getting around locked-down build environments is not something I support. Other ecosystems actually require outside access, so it's fortunate that Maven contains most of the information to create accurate BOMs in a disconnected environment.

Instead of modifying the plugin, try executing it with the following system property. SPDXParser.OnlyUseLocalLicenses=true.

mvn -DSPDXParser.OnlyUseLocalLicenses=true org.cyclonedx:cyclonedx-maven-plugin:1.6.1:makeAggregateBom

stevespringett avatar Jan 25 '20 03:01 stevespringett

Adding the system property seems to work wonders. Thanks!

davidkarlsen avatar Jan 29 '20 21:01 davidkarlsen

It would be nice to have the plugin pass a maven property to the SPDXParser.OnlyUseLocalLicenses system property for the tool. Having to set system property makes it harder to manage in an enterprise environment where you have countless builds that now have to add this system property instead of just setting a maven property in a centrally managed pom.

leonard84 avatar Feb 04 '20 15:02 leonard84

@stevespringett, what about proxying configuration for SPDXParser in the plugin? Would that be something feasible? We have a company-pom and in the CI environment we now had to adjust MAVEN_OPTS. It is a pity that the URL for licenses.json is not injectible but hard-coded.

mfriedenhagen avatar Feb 04 '20 15:02 mfriedenhagen

@stevespringett, what about my suggestion to proxy the SPDXParser configuration?

mfriedenhagen avatar May 20 '20 09:05 mfriedenhagen

Thanks for the ping @mfriedenhagen. I'm actually working to remove reliance on SPDX Tools from the next major release of CycloneDX Core Java. v3.0.0 will likely be released in June shortly after the launch of the CycloneDX v1.2 spec. Once an updated Core Java module is published without SPDX Tools, the proxy issue disappears.

stevespringett avatar May 20 '20 18:05 stevespringett