[maven] Look for BOM in the specified output location (SpringBoot 3.3.x compatibility)

[nekhtan]

Hello,

The issue I'm facing is that when calling cdxgen with custom output name and directory, the processing falls back to the dependency tree.

This occurs because SpringBoot 3.3.x defines a CycloneDX's configuration (Maven plugin), and it seems it can't be overridden for my purpose (i.e. execute cdxgen on external project, for which I can't alter the pom.xml).

I already opened a ticket on SpringBoot side, but it seems to be tricky to handle it from their end.

To reproduce on any SpringBoot project (no matter the version):

export MVN_ARGS="-DprojectType=application -DincludeTestScope=false -DoutputName=application.cdx -DoutputDire
ctory=target/classes/META-INF/sbom"
cdxgen -o ./target/classes/META-INF/sbom/application.cdx.json --no-recurse

-> The SBOM generation succeeds but cdxgen seems to fail at retrieving the file (leading to a fallback on dependency tree)

The issue seems to be on the file path patterns used in index.js

Would it be possible to look directly for the specified path ?
Maybe something like:

bomJsonFiles = getAllFiles(path, options.output, options);

?

Thanks in advance for your help !

[nekhtan]

SpringBoot will release a fix in release 3.3.1, but it might still be relevant to use options.output ? I'll let you guys decide what you want to do with this issue, but as far as I'm concerned it should be ok in a few weeks ;)

[prabhu]

@nekhtan could you send a PR to change the pattern in this line to

bomJsonFiles = getAllFiles(path, "**/*{cdx,bom}*.json", options);