cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Make name of attached artifact configurable (and hence support multi-bom projects)

Open lfvjimisola opened this issue 10 months ago • 4 comments

Due compliance we need to provide a runtime SBOM and a test SBOM and have them attached during install/deploy.

However,

By default, the BOM(s) will be attached as an additional artifacts with cyclonedx classifier and xml or json extension during a Maven install or deploy:

${project.artifactId}-${project.version}-cyclonedx.xml
${project.artifactId}-${project.version}-cyclonedx.json

which results in

[WARNING] artifact x:y:json:cyclonedx:0.8.15-SNAPSHOT already attached, replace previous instance

The name of the artifact for the SBOM artifact needs to be configurable on per-SBOM basis (it's currently hard-coded) within the <configuration> section in addition to <outputName>.

lfvjimisola avatar Apr 03 '24 09:04 lfvjimisola

For this and other use cases - would it be possible to support the configuration settings also as command line options?

mjaix avatar May 08 '24 11:05 mjaix

oh, both separate test and runtime SBOMs requirements: it seems we now have a use case for #433

@lfvjimisola in that case, what would you configure for the 2 runs, so we share complete example?

hboutemy avatar May 16 '24 06:05 hboutemy

oh, both separate test and runtime SBOMs requirements: it seems we now have a use case for #433

@lfvjimisola in that case, what would you configure for the 2 runs, so we share complete example?

That's great news. Of course, my team member @lfvjonas will provide one here today.

lfvjimisola avatar May 16 '24 07:05 lfvjimisola

This is the configuration we have.

 <plugin>
  <groupId>org.cyclonedx</groupId>
  <artifactId>cyclonedx-maven-plugin</artifactId>
  <version>2.7.10</version>
  <executions>
      <execution>
          <id>runtime-sbom</id>
          <phase>generate-resources</phase>
          <goals>
              <goal>makeAggregateBom</goal>
          </goals>
          <configuration>
              <outputFormat>json</outputFormat>
              <outputName>classes/bom</outputName>
          </configuration>
      </execution>
      <execution>
          <id>test-sbom</id>
          <phase>package</phase>
          <goals>
              <goal>makeAggregateBom</goal>
          </goals>
          <configuration>
              <includeCompileScope>false</includeCompileScope>
              <includeProvidedScope>false</includeProvidedScope>
              <includeRuntimeScope>false</includeRuntimeScope>
              <includeSystemScope>false</includeSystemScope>
              <includeTestScope>true</includeTestScope>
              <outputName>cyclonedx/test-bom</outputName>
              <outputFormat>json</outputFormat>
          </configuration>
      </execution>
  </executions>
</plugin>

lfvJonas avatar May 16 '24 07:05 lfvJonas