cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard
verified publisher icon CycloneDX

externalReference: Cannot convert 'static-analysis-report' to Enum

Open msymons opened this issue 1 year ago • 2 comments

plugin v2.7.11 added support for custom External References via #428.

Following the documentation I initially added the following to configuration section of pluginManagement entry for plugin:

                        <externalReferences>
                            <externalReference>
                                <type>static-analysis-report</type>
                                <url>https://foo.bar.com</url>
                                <comment>SonarQube</comment>
                            </externalReference>
                        </externalReferences>

...and got the following error:

[2024-01-29T17:15:05.211Z] [ERROR] Failed to execute goal org.cyclonedx:cyclonedx-maven-plugin:2.7.11:makeAggregateBom (default-cli) on project xxx-yyy: Unable to parse configuration of mojo org.cyclonedx:cyclonedx-maven-plugin:2.7.11:makeAggregateBom for parameter externalReference: Cannot convert 'static-analysis-report' to Enum: No enum constant org.cyclonedx.model.ExternalReference.Type.static-analysis-report -> [Help 1]

I then noticed line at bottom of documentation:

Notice that the type value in the plugin configuration refers to a CycloneDX Core (Java) library constant name corresponding to CycloneDX type

...so I tried STATIC_ANALYSIS_REPORT for type, but got the same error.

Aside: I do think that the value of type should match what is in the CycloneDX documentation (eg the guide) as that makes it easier to expect common behaviour across plugins from different ecosystems (gradle, etc). This could be important when a Jenkins server is providing type as a variable at build time.

msymons avatar Jan 29 '24 18:01 msymons

2.7.11 only supports CycloneDX 1.4 you'll have to wait for 2.8.0 to use this 1.5 value (yes, the documentation for 2.8.0-SNAPSHOT is published before the release is done...)

hboutemy avatar Jan 30 '24 08:01 hboutemy

@hboutemy, thank you for the clarification. I performed a bunch more testing and got the new functionality working, such that I now have Dependency-Track (which consumes all my SBOMS) succesfully displaying additional external references that were configured in the plugin v2.7.11

I think it would help if the documentation specifically mentioned the version limitation and that new external references are introduced with new versions of the specification... I can think of at least two new ones that will be added in CycloneDX v1.6.

Now that I have succesfully tested the functionality, I confirmed that Enum Constants are required and actual type (per the specification) gives an error and breaks the build. ie, CHAT works and chat fails. I know that this would require extra code but I really do think that it is important to allow configuration to specify the actual type. This will help ensure consistency in build environments that have scripted pipelines with Java jobs alongside npm, etc. Should I log this as a separate enhancement issue so that this issue (463) can be resolved with a simple documentation tweak?

As an aside, testing the new external references functionality inspired me to log CycloneDX/guides/issues/14

msymons avatar Feb 01 '24 22:02 msymons