cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

makeAggregateBom regression - multiple attempts to deploy same file

Open robertklaus-bosch opened this issue 4 years ago • 2 comments
trafficstars

I have been using version 2.2.0 and updated to 2.4.1 and 2.5.1 yesterday.

Our build started to fail then, as during deploy phase, the same artifact was uploaded twice. As our repository disallows overwriting artifacts (for good reason ..) the second upload was denied and lead to a build failure.

Same behavior on 2.4.1 and 2.5.1.

I tried to reproduce the problem with a smaller project and I think the problem is that the plugin is executed in every module. We have configured the plugin in the parent of a multi-module project and it is of course inherited in the modules.

As this has worked in the past, I guess there was a behavioral change from 2.2.0 to 2.4.1.

From the code, I see that every bom gets attached to the build (and of course deployed then later). I tried to disable inheritance like so:

<plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>2.4.1</version>
        <inherited>false</inherited>
</plugin>

but it didn't work, so I guess this isn't the problem.

Could somebody have a look?

robertklaus-bosch avatar Jun 18 '21 08:06 robertklaus-bosch

To reproduce: create a simple multi-module project. Add cyclonedx-maven-plugin with goal makeAggreagteBom in parent. Do a mvn clean install

In my case this leads to following output:

Reactor Build Order:
[INFO] 
[INFO] test-cyclonedx-parent                                              [pom]
[INFO] module-a                                                           [jar]
[INFO] module-b                                                           [jar]
[INFO] 
[INFO] --------------< com.example.group:test-cyclonedx-parent >---------------
[INFO] Building test-cyclonedx-parent 0.0.1-SNAPSHOT                      [1/3]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ test-cyclonedx-parent ---
[INFO] Deleting /<somepath>/test-cyclonedx-parent/target
[INFO] 
[INFO] --- cyclonedx-maven-plugin:2.5.1:makeAggregateBom (default) @ test-cyclonedx-parent ---
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /<somepath>/test-cyclonedx-parent/module-a/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /<somepath>/test-cyclonedx-parent/module-a/target/bom.json
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /<somepath>/test-cyclonedx-parent/module-b/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /<somepath>/test-cyclonedx-parent/module-b/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /<somepath>/test-cyclonedx-parent/module-b/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /<somepath>/test-cyclonedx-parent/module-b/target/bom.json
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /<somepath>/test-cyclonedx-parent/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /<somepath>/test-cyclonedx-parent/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /<somepath>/test-cyclonedx-parent/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /<somepath>/test-cyclonedx-parent/target/bom.json
[INFO] 
[INFO] --- maven-install-plugin:2.4:install (default-install) @ test-cyclonedx-parent ---
[INFO] Installing /<somepath>/test-cyclonedx-parent/pom.xml to /<somepath>/repository/com/example/group/test-cyclonedx-parent/0.0.1-SNAPSHOT/test-cyclonedx-parent-0.0.1-SNAPSHOT.pom
[INFO] Installing /<somepath>/test-cyclonedx-parent/target/bom.xml to /<somepath>/repository/com/example/group/test-cyclonedx-parent/0.0.1-SNAPSHOT/test-cyclonedx-parent-0.0.1-SNAPSHOT-cyclonedx.xml
[INFO] Installing /<somepath>/test-cyclonedx-parent/target/bom.json to /<somepath>/repository/com/example/group/test-cyclonedx-parent/0.0.1-SNAPSHOT/test-cyclonedx-parent-0.0.1-SNAPSHOT-cyclonedx.json
[INFO]

Note that the plugin created files for the child modules - install however only copies the files from parent. When the module is build shortly afterward:

[INFO] --- cyclonedx-maven-plugin:2.5.1:makeAggregateBom (default) @ module-a ---
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /<somepath>/test-cyclonedx-parent/module-a/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /<somepath>/test-cyclonedx-parent/module-a/target/bom.json
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /<somepath>/test-cyclonedx-parent/module-b/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /<somepath>/test-cyclonedx-parent/module-b/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /<somepath>/test-cyclonedx-parent/module-b/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /<somepath>/test-cyclonedx-parent/module-b/target/bom.json
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /<somepath>/test-cyclonedx-parent/module-a/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /<somepath>/test-cyclonedx-parent/module-a/target/bom.json
[INFO] 
[INFO] --- maven-install-plugin:2.4:install (default-install) @ module-a ---
[INFO] Installing /<somepath>/test-cyclonedx-parent/module-a/target/module-a-0.0.1-SNAPSHOT.jar to /<somepath>/repository/com/example/group/module-a/0.0.1-SNAPSHOT/module-a-0.0.1-SNAPSHOT.jar
[INFO] Installing /<somepath>/test-cyclonedx-parent/module-a/pom.xml to /<somepath>/repository/com/example/group/module-a/0.0.1-SNAPSHOT/module-a-0.0.1-SNAPSHOT.pom
[INFO] Installing /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml to /<somepath>/repository/com/example/group/module-a/0.0.1-SNAPSHOT/module-a-0.0.1-SNAPSHOT-cyclonedx.xml
[INFO] Installing /<somepath>/test-cyclonedx-parent/module-a/target/bom.json to /<somepath>/repository/com/example/group/module-a/0.0.1-SNAPSHOT/module-a-0.0.1-SNAPSHOT-cyclonedx.json
[INFO] Installing /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml to /<somepath>/repository/com/example/group/module-a/0.0.1-SNAPSHOT/module-a-0.0.1-SNAPSHOT-cyclonedx.xml
[INFO] Installing /<somepath>/test-cyclonedx-parent/module-a/target/bom.json to /<somepath>/repository/com/example/group/module-a/0.0.1-SNAPSHOT/module-a-0.0.1-SNAPSHOT-cyclonedx.json
[INFO] Installing /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml to /<somepath>/repository/com/example/group/module-a/0.0.1-SNAPSHOT/module-a-0.0.1-SNAPSHOT-cyclonedx.xml
[INFO] Installing /<somepath>/test-cyclonedx-parent/module-a/target/bom.json to /<somepath>/repository/com/example/group/module-a/0.0.1-SNAPSHOT/module-a-0.0.1-SNAPSHOT-cyclonedx.json
[INFO]

Note that all files are created again and install now installs the same files (which later will lead to multiple deploys I assume). If I use inherited = false a mvn clean install fails with:

ERROR] Failed to execute goal org.apache.maven.plugins:maven-install-plugin:2.4:install (default-install) on project module-a: Failed to install artifact com.example.group:module-a:xml:cyclonedx:0.0.1-SNAPSHOT: /<somepath>/test-cyclonedx-parent/module-a/target/bom.xml (No such file or directory)

Which is weird.

robertk3s avatar Jul 16 '21 17:07 robertk3s

I think this is caused by running the clean target in the same run. I had a similar issue, though removing clean seemed to fix the errors about missing bom.xml files.

jvz avatar Jan 22 '22 03:01 jvz

I can reproduce the issue with a mvn project and also have a testcase - however still need to work on having appropriate assertions to make it a "good" test.

While I do that, I have some questions:

  1. With a multi-module project with two empty modules, mvn clean install already runs in a problem. Is maybe unrelated so should I rather create a new issue for that?
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-install-plugin:2.4:install (default-install) on project test-a: Failed to install artifact org.cyclonedx.maven:test-a:xml:cyclonedx:0.0.1-SNAPSHOT: <some_path>/cyclonedx-maven-plugin/target/maven-it/org/cyclonedx/maven/Issue111TestIT/test_makeAggregate_111/project/test-a/target/bom.xml (No such file or directory) -> [Help 1]
  1. I stumbled upon outputReactorProjects and I see this problem with the default setting. What behavior should be triggered by this in a multi-module project, when it is true or false?

robertk3s avatar Jan 03 '23 18:01 robertk3s

@robertk3s I think this was resolved in #242. I'll likely be releasing the update later today.

stevespringett avatar Jan 03 '23 20:01 stevespringett

@stevespringett I had a short look at the code from #242 and I think it make sense to wait for your release and then test again. Fingers crossed, this might be fixed with that already.

robertk3s avatar Jan 04 '23 17:01 robertk3s

So I did some testing and looks like this has been fixed with the changes from #242. This issue can be closed- fixed with 2.7.4 version.

Does it still make sense to add some IT tests?

robertk3s avatar Jan 09 '23 22:01 robertk3s

IT tests have been added in src/it, using maven-invoker-plugin

hboutemy avatar Feb 02 '23 22:02 hboutemy